|
|
|
|
|
|
by skuxxlife
516 days ago
|
|
|
The current best practice is to keep the token in memory only and store a refresh token in an HTTP-only cookie. In my experience though, if you’re only doing web-based auth and don’t _need_ to use JWTs for a specific reason, just use regular session cookies, it’s way less hassle. Coordinating auth and refresh state across page refreshes and tabs is a pain, and using a refresh token means you’re using cookies and saved session state anyway, so you lose pretty much all of the unique benefits of using JWTs and still have all the downsides. |
|
|