I would like to not have to implement things like redis or storing refresh tokens in a database. I would like to utilize the “full power” of JWTs (scalability, no need for storing anything related to sessions/tokens, stateless, etc.)
Say I have a cookie which is set as secure, httpOnly, samesite=lax.
The cookie will expire when the user closes the website, unless the user specified the “remember me” option. And inside this cookie a JWT will be stored which will never expire.
Of course some CSRF protection would also be implemented!
Is this secure enough? How would an attacker ever retrieve the JWT from a client given the requirements (cookie requirements) mentioned above?
If the JWT is completely inaccessible from an attacker then there is no need to revoke the JWT or have it expire at some point right?
2
Answers
IMHO if you are protecting sensitive information, having long living auth tokens in the cookies is dangerous. A user could be tricked using social engineering to open the dev tools and share the cookie content. Security is pain but pays off in the log run.
To the question “Is this secure enough?“, only you can answer and decide if you want to go with this solution or not.
For an outsider point of view; I think a JWT set with no expiration is already not good practice, because by doing so you are kind of giving away some endless access.
Then you write “How would an attacker ever retrieve ….“. That is one more unsafe assumption. The proper of a “successful attack” is usually, exactly when an attacker does something in a way you did not expect.
To sum it up I would say: what you are thinking of is possible; but it is not something to recommend.
To get more in depth opinions you may check further documentations or with experts. To start with you may have a look at these few JWT tutorials.