I am developing a Flutter web application that requires user authentication using JWT tokens. After a successful login, I receive a JWT token that I need to store securely for making authenticated API requests.
I have considered a few options, such as:
Local Storage: Using the dart:html library to store the token in localStorage.
Any guidance or best practices for securely storing JWT tokens in Flutter web would be greatly appreciated!
2
Answers
You should not have any issue with saving the JWT on localStorage. Alternatively, You can use
flutter_secure_storage
https://pub.dev/packages/flutter_secure_storage package as it supports web now. other thing you can do is passing the token in cookies with httpOnly flag from server to frontend.dart.html
will do the thing as normal js works in web browser.Storing the JWT tokens in local storage can be simple and easy to implement, but it is not recommended for security reasons. When you store the tokens in local or session storage, they can be accessed through any Javascript on your web page, which means it is vulnerable to attacks such as cross-site scripting. If an attacker can execute scripts on your web page, he can impersonate the user by making requests to your API with the stolen token.
according to me the best approach to store your tokens would be using httpOnly cookies(Access token and Refresh token approach).
eg:Set-Cookie: access_token=<your_token>; HttpOnly; Secure; SameSite=Strict;
how it works:
2)when the access token expires, the Flutter web app uses the refresh token to request a new one from the backend.
3)If the refresh token is valid the backend generates a new access token. (the user does not have to log in again).
Hope this answer helps u…..