2 Answers. You should not log access tokens. Anyone who has access to access tokens can temporarily hijack those accounts. … Nevertheless, the amount of users that may be exposed from logging of these tokens makes it of serious concern.
Should I save access token?
Therefore, the access token should be stored on the web application server only. It should not be exposed to the browser, and it doesn’t need to, because the browser never makes any direct requests to the resource server.
Should you store access tokens in a database?
If you need to store your access tokens in a database, please keep the following in mind: Restrict access to the database in a way such that the access tokens are only readable by the owner of the token. … Encrypt access tokens before storing in any data stores.
Is it safe to log JWT token?
The general opinion is that they’re good for being used as ID Tokens or Access Tokens and that they’re secure – as the tokens are usually signed or even encrypted. … A JSON Web Token (JWT, pronounced “jot”) is a compact and url-safe way of passing a JSON message between two parties. It’s a standard, defined in RFC 7519.
Can access tokens be stolen?
Adversaries can steal user application access tokens as a means of acquiring credentials to access remote systems and resources. This can occur through social engineering and typically requires user action to grant access.
Is it safe to store access token in local storage?
If you have any XSS vulnerabilities in your app, you will be susceptible to token theft no matter where you store them. At the end of the day, keeping your JWT in a cookie can carry the same dangers as storing them in local storage.
What is the best way to store token?
We strongly recommend that you store your tokens in local storage/session storage or a cookie.
Where should I store session token?
How do you securely store access tokens in database?
1 Answer. A solution for this is to encrypt the data before is saved into the database and decrypt it each time you need to access it. In your case I think that symmetric encryption is the correct choice, thus you will need to have a private key that must be kept safe at all times.