Theo's Typesafe CultTTC
Theo's Typesafe Cult3y ago
17 replies
gustagol

Storing JWT refresh token in httpOnly cookie

So, I'm building the auth part of an application. I have always return both 
access
 and 
refresh
 tokens on the payload. And them have them stored separately on the client.

Now, after doing a little research, I have found that some people return just the 
access
 token on the payload, and have the 
refresh
 token set as an httpOnly cookie.

What is the opinion on this? Good practice? Bad practice? Unnecessary / anti pattern? Thanks in advance!
Was this page helpful?