How can I keep track of a user's session via JWT without storing it as a cookie or in...











up vote
0
down vote

favorite
1












I've read in several places that it's not recommended to store a JWT in the browser, either in storage or as a cookie. Even if it was, for the current application I'm developing, we have the JWT stored on a java servlet, and are using a separate React app as a frontend.



I was thinking that I could just give each user an ID in a cookie and then check that their session is still valid by comparing the associated JWT.



Is there some recommended method for keeping track of a user's session with a JWT without actually sending the JWT to the user at any point? Every search I try results in a dozen articles telling me not to send JWT to the browser and store it there, but I wasn't planning to anyway. I'd like to avoid having to handle multiple methods of maintaining a user's session, and the JWT is something that isn't optional at this point.






java reactjs session jwt







share|improve this question






















  • You must have store the JWT tokens somewhere at client side. I prefer cookies with httpOnly option. Since session ends on tab close.
    – Aravind P
    Nov 9 at 16:52












  • @AravindP I can't store some kind of ID on the client side and look up a JWT server-side for each request?
    – realmature
    Nov 9 at 16:59










  • The only way you can store anything at all (in a practical sense)on the client side is through a cookie. There is no way you can keep track of users without sessions unless you made database requests with every url they requested which again isn't practical.
    – Jonathan Laliberte
    Nov 9 at 17:10










  • @JonathanLaliberte Right.... I'm not asking if there's a way to not store anything. I'm asking if there's a best practice for what to store instead of a JWT. I'm literally just thinking of a keeping map of id to jwt and wondering if there's a smarter way than that.
    – realmature
    Nov 9 at 17:41















up vote
0
down vote

favorite
1












I've read in several places that it's not recommended to store a JWT in the browser, either in storage or as a cookie. Even if it was, for the current application I'm developing, we have the JWT stored on a java servlet, and are using a separate React app as a frontend.



I was thinking that I could just give each user an ID in a cookie and then check that their session is still valid by comparing the associated JWT.



Is there some recommended method for keeping track of a user's session with a JWT without actually sending the JWT to the user at any point? Every search I try results in a dozen articles telling me not to send JWT to the browser and store it there, but I wasn't planning to anyway. I'd like to avoid having to handle multiple methods of maintaining a user's session, and the JWT is something that isn't optional at this point.






java reactjs session jwt







share|improve this question






















  • You must have store the JWT tokens somewhere at client side. I prefer cookies with httpOnly option. Since session ends on tab close.
    – Aravind P
    Nov 9 at 16:52












  • @AravindP I can't store some kind of ID on the client side and look up a JWT server-side for each request?
    – realmature
    Nov 9 at 16:59










  • The only way you can store anything at all (in a practical sense)on the client side is through a cookie. There is no way you can keep track of users without sessions unless you made database requests with every url they requested which again isn't practical.
    – Jonathan Laliberte
    Nov 9 at 17:10










  • @JonathanLaliberte Right.... I'm not asking if there's a way to not store anything. I'm asking if there's a best practice for what to store instead of a JWT. I'm literally just thinking of a keeping map of id to jwt and wondering if there's a smarter way than that.
    – realmature
    Nov 9 at 17:41













up vote
0
down vote

favorite
1









up vote
0
down vote

favorite
1






1





I've read in several places that it's not recommended to store a JWT in the browser, either in storage or as a cookie. Even if it was, for the current application I'm developing, we have the JWT stored on a java servlet, and are using a separate React app as a frontend.



I was thinking that I could just give each user an ID in a cookie and then check that their session is still valid by comparing the associated JWT.



Is there some recommended method for keeping track of a user's session with a JWT without actually sending the JWT to the user at any point? Every search I try results in a dozen articles telling me not to send JWT to the browser and store it there, but I wasn't planning to anyway. I'd like to avoid having to handle multiple methods of maintaining a user's session, and the JWT is something that isn't optional at this point.






java reactjs session jwt







share|improve this question













I've read in several places that it's not recommended to store a JWT in the browser, either in storage or as a cookie. Even if it was, for the current application I'm developing, we have the JWT stored on a java servlet, and are using a separate React app as a frontend.



I was thinking that I could just give each user an ID in a cookie and then check that their session is still valid by comparing the associated JWT.



Is there some recommended method for keeping track of a user's session with a JWT without actually sending the JWT to the user at any point? Every search I try results in a dozen articles telling me not to send JWT to the browser and store it there, but I wasn't planning to anyway. I'd like to avoid having to handle multiple methods of maintaining a user's session, and the JWT is something that isn't optional at this point.






java reactjs session jwt




java reactjs session jwt






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 9 at 16:33









realmature

2818




2818












  • You must have store the JWT tokens somewhere at client side. I prefer cookies with httpOnly option. Since session ends on tab close.
    – Aravind P
    Nov 9 at 16:52












  • @AravindP I can't store some kind of ID on the client side and look up a JWT server-side for each request?
    – realmature
    Nov 9 at 16:59










  • The only way you can store anything at all (in a practical sense)on the client side is through a cookie. There is no way you can keep track of users without sessions unless you made database requests with every url they requested which again isn't practical.
    – Jonathan Laliberte
    Nov 9 at 17:10










  • @JonathanLaliberte Right.... I'm not asking if there's a way to not store anything. I'm asking if there's a best practice for what to store instead of a JWT. I'm literally just thinking of a keeping map of id to jwt and wondering if there's a smarter way than that.
    – realmature
    Nov 9 at 17:41


















  • You must have store the JWT tokens somewhere at client side. I prefer cookies with httpOnly option. Since session ends on tab close.
    – Aravind P
    Nov 9 at 16:52












  • @AravindP I can't store some kind of ID on the client side and look up a JWT server-side for each request?
    – realmature
    Nov 9 at 16:59










  • The only way you can store anything at all (in a practical sense)on the client side is through a cookie. There is no way you can keep track of users without sessions unless you made database requests with every url they requested which again isn't practical.
    – Jonathan Laliberte
    Nov 9 at 17:10










  • @JonathanLaliberte Right.... I'm not asking if there's a way to not store anything. I'm asking if there's a best practice for what to store instead of a JWT. I'm literally just thinking of a keeping map of id to jwt and wondering if there's a smarter way than that.
    – realmature
    Nov 9 at 17:41
















You must have store the JWT tokens somewhere at client side. I prefer cookies with httpOnly option. Since session ends on tab close.
– Aravind P
Nov 9 at 16:52






You must have store the JWT tokens somewhere at client side. I prefer cookies with httpOnly option. Since session ends on tab close.
– Aravind P
Nov 9 at 16:52














@AravindP I can't store some kind of ID on the client side and look up a JWT server-side for each request?
– realmature
Nov 9 at 16:59




@AravindP I can't store some kind of ID on the client side and look up a JWT server-side for each request?
– realmature
Nov 9 at 16:59












The only way you can store anything at all (in a practical sense)on the client side is through a cookie. There is no way you can keep track of users without sessions unless you made database requests with every url they requested which again isn't practical.
– Jonathan Laliberte
Nov 9 at 17:10




The only way you can store anything at all (in a practical sense)on the client side is through a cookie. There is no way you can keep track of users without sessions unless you made database requests with every url they requested which again isn't practical.
– Jonathan Laliberte
Nov 9 at 17:10












@JonathanLaliberte Right.... I'm not asking if there's a way to not store anything. I'm asking if there's a best practice for what to store instead of a JWT. I'm literally just thinking of a keeping map of id to jwt and wondering if there's a smarter way than that.
– realmature
Nov 9 at 17:41




@JonathanLaliberte Right.... I'm not asking if there's a way to not store anything. I'm asking if there's a best practice for what to store instead of a JWT. I'm literally just thinking of a keeping map of id to jwt and wondering if there's a smarter way than that.
– realmature
Nov 9 at 17:41

















active

oldest

votes











Your Answer






StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














 

draft saved


draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53229732%2fhow-can-i-keep-track-of-a-users-session-via-jwt-without-storing-it-as-a-cookie%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown






























active

oldest

votes













active

oldest

votes









active

oldest

votes






active

oldest

votes
















 

draft saved


draft discarded



















































 


draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53229732%2fhow-can-i-keep-track-of-a-users-session-via-jwt-without-storing-it-as-a-cookie%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Schultheiß

Image
Der Titel dieses Artikels ist mehrdeutig. Weitere Bedeutungen sind unter Schultheiß (Begriffsklärung) aufgeführt. Ein Schultheiß. Holzschnitt von Peter Flötner (16. Jahrhundert) Der Schultheiß oder Schuldheiß (von althochdeutsch  sculdheizo ‚Leistung Befehlender‘, vgl. mittelniederdeutsch  schult(h)ēte , latinisiert (mittellat.) sculte(t)us , schwäbisch heute noch Schultes für „Bürgermeister“) bezeichnet einen in vielen westgermanischen Rechtsordnungen vorgesehenen Beamten, der Schuld heischt : Er hatte im Auftrag seines Herren (Landesherrn, Stadtherrn, Grundherrn) die Mitglieder einer Gemeinde zur Leistung ihrer Schuldigkeit anzuhalten, also Abgaben einzuziehen oder für das Beachten anderer Verpflichtungen Sorge zu tragen. Sprachliche Varianten des Schultheißen sind Schulte , Schultes oder Schulze . Früher wurde zwischen dem Stadtschulzen und dem Dorfschulzen unterschieden. In der städtischen Gerichts- und Gemeindeverfassung war er ein vom städtischen Rat oder vom L...
Read more

Verwaltungsgliederung Dänemarks

Image
Das Königreich Dänemark umfasst neben dem kontinentaleuropäischen Kernland auch die autonomen Außengebiete Färöer und Grönland. Die staatsrechtliche Einheit von Mutterland und ehemaligen Besitzungen wird als „Reichsgemeinschaft“ (dänisch rigsfællesskabet ) bezeichnet. Die Verwaltungsgliederung des dänischen Kernlandes umfasst seit dem 1. Januar 2007 fünf Regionen und 98 Kommunen. Die Amtsbezirke/Kreise (dän. amt ) wurden im Zuge einer Gebietsreform abgeschafft. Ihre Zuständigkeiten wurden auf Regional- und kommunale Ebene verteilt. Inhaltsverzeichnis 1 Regionen 2 Kommunen 3 Historische Verwaltungsgliederungen 3.1 Älteste Strukturen 3.2 Bistümer (ab 10. Jahrhundert) 3.3 17. und 18. Jahrhundert 3.4 Von 1793 bis 1970 3.5 Von 1970 bis 2007 3.5.1 Fusionen bis Ende 2006 und große Kommunalgebietsreform 4 Literatur 5 Einzelnachweise 6 Weblinks Regionen | → Hauptartikel : Region (Dänemark) Dänemarks Regionen (seit 2007...
Read more

Liste der Kulturdenkmale in Wilsdruff

Image
Wappen von Wilsdruff Die Liste der Kulturdenkmale in Wilsdruff enthält die Kulturdenkmale in Wilsdruff. Die Anmerkungen sind zu beachten. Diese Liste ist eine Teilliste der Liste der Kulturdenkmale im Landkreis Sächsische Schweiz-Osterzgebirge. Diese Liste ist eine Teilliste der Liste der Kulturdenkmale in Sachsen. Inhaltsverzeichnis 1 Legende 2 Wilsdruff 3 Birkenhain 4 Blankenstein 5 Braunsdorf 6 Grumbach 7 Grund 8 Helbigsdorf 9 Herzogswalde 10 Kaufbach 11 Kesselsdorf 12 Kleinopitz 13 Limbach 14 Mohorn 15 Oberhermsdorf 16 Anmerkungen 17 Ausführliche Denkmaltexte 18 Quellen 19 Weblinks Legende | Bild: zeigt ein Bild des Kulturdenkmals und gegebenenfalls einen Link zu weiteren Fotos des Kulturdenkmals Bezeichnung: Name, Bezeichnung oder die Art des Kulturdenkmals Lage: Straßenname und wenn vorhanden Hausnummer des Kulturdenkmals; Grundsortierung der Liste erfolgt nach dieser A...
Read more