วีดีโอ

thank you very much i have learnt alot

but you are storing refresh token in cookies so it is not in-memory

damn me if i understood

can any one answer why cookies are getting clear when refresh the page ?

Hello Coach, Hope this message finds you well. I'm reaching out to you today because I believe your courses have the potential to attract a significant number of students and generate positive reviews. Would you be interested in proceeding further? Here are my marketing plan to promote your Udemy course to attract more students and gain many positive 5 stars reviews: 1. Offering free Coupon: Provide a taste of your course content with a free coupon to enroll 1000 students in 5 days. 2. Utilizing Social Media 3. Email Marketing Campaign 4. And possibly running ads. I'm looking forward to hearing from you soon. Thanks.

But doesnvt the refresh token have the same problem as the cookie? Can't an attacker just make a request with the refresh token and get the jwt that way?

Great Video. Thanks alot. I gave a question. Why not just store the JWT token inside the HTTP only cookie since XSS attacks can't get to it. Instead of the hassle of using a refresh token. Thank you.

I searched a lot about these refresh token and access token, finally, I understood what's going on. Thank you sir

This was/is a phenomenal video. Though not titled microservices, this is the only video that I've found that helped me with the front end side of handling APIs. Thank you for making this.

the fact that your previous app got hacked through XSS has absolutely nothing to do with the JWT being in localStorage as a sole fact. So it's absolutely deceptive to advertise to "Stop using local storage". So many people get their facts wrong, end up getting to the wrong conclusion, and spread it out anyway... LocalStorage, in memory using closure or session, should all be considered vulnerable to XSS. With that in mind you should: 1. make expiration time small (15-30mins) 2. make sure the jwt is unusable outside of the user's browser by using a fingerprint (in short, random string that you hash, include to the JWT payload, and set the cleartext as an httpOnly, secure, sameSite strict cookie) to verify all requests (if token's fingerprintHash !== hash(cleartextFingerprint), smthg's wrong) 3. sanitize any user inputs (text, images, anythg..), and be obviously very careful when rendering them 4. for UX, using refresh tokens as httpOnly, secure, sameSite strict cookie is acceptable

This is cool bro

Thanks bro :)

Important thing to highlight that such an approach is great for web browser applications but not a good idea to follow it if we are creating same Auth API for IOS or Android as they don't have the cookies mechanism.

Nice but csrf?

Problem with this method is, if someone gets the refresh token, they may infinitely keep on getting new tokens. One would say, to tackle this issue, keep the expiry time of small duration. However, it’ll create another issue. Suppose, if I shut down my system and come back the next day, the refresh token would have expired by now. Therefore, I’ll have to log in again. What could be the potential solution to such problems?

Did you work in WD before?

Why does the thumbnail looks like a meme

There’s nothing wrong with storing tokens in local storage. If your site has XSS vulnerabilities, you have much bigger issues.

Thank you

Thanks. Concise examples of a modern testing pattern. Much appreciated

Good work. Where are the rest of series? Are you going to work on the next episodes in the series?

Thanks for this Kati!

very well explained

Haha did he just say "bug free application"? 😂🤣

Great info and thank you for sharing sir, I can see you are setting the new token to the header after the request inorder to persist it. How can you do this with axios, meaning how can you set a header after request with axios or am I missing something.

Hey, I went to your site and signed up for the react testing class and the videos were set to private. I think your videos are really good!

Which text extension do you use?

Thanks so much!

Great explanation!

How would you handle same application in multiple tabs? Or on multiple devices?

excellent tutorial! explained in a crisp & understandable way. thank you very much. :)

Wow.. I keep learning about new CMS apps each day.. gonna give this a try

he BOUGHT the software hahahahahah

Thank u so much, interested in starting so soft during quarintine and just need a place to get started, thx for the support

Great video! have your like good man !

Thanks for the kind words, I'm always happy to help! Let know if you'd like any videos on specific topics in the future. I wish you all the

I have been struggling with building a database for a SaaS application and your video has helped me solve it. Thanks a million Kati

Nice.

Bravo, great explanation, thanks for sharing

by storing the refresh token in a httponly cookie, does it prevent an attacker from using it ? my current set up is quite the same ,storing the access token in memory and returning it in a response body from the server and at the same time the server sets up a httponly cookie containing the refresh token...For now i havent found a way to encrypt and sign the token (i am using ktor for the backend) as i use a call.response.cookies.append() method to set my cookie

How to pass cookies in testing to getserversideprops? I got error Cannot read property 'cookies' undefined

03:44 Backend response 04:06 Not using local storage | Immunity to cross-site scripting attacks

tysm almost a week I searching about the refresh token huhu finally you saved me tysm!

How could a PWA get the user information using this strategy while offline or on a unstable connection?

I know everyone is hyping that don’t store tokens in local or session storage. But the reality is if your application is vulnerable to XSS attacks then an attacker can high jacks your tokens stored even in http only cookie by triggering an fetch request to his malicious domain with credentials set to true. So I personally think that we should give more focus on preventing any sort of XSS vulnerabilities in our site rather than deciding where we store our tokens. Personally I prefer session storage as it expires when user closes browser tab. Also please note that I am not saying that author is completely wrong. This is a good quality video. Just saying that this approach will also fails if we have XSS vulnerability.

Hello Franz, very nice video!! Great content too! However, you left out something. The cookie holding the refresh token is still susceptible to CSRF attacks. And once that happens, it’s game over. HttpOnly alone won’t save the cookie from CSRF attacks. You need additional settings on the refresh-token cookie 🍪 for GraphQL. Namely: Path: /graphql; Domain: localhost:4500; SameSite: Strict. Now, with these additional settings, the refresh-token cookie is not vulnerable to CSRF via abuse of ambient authority on cross-site, cross-domain scenarios

I do not understand why people completely stopped talking about CSRF-attacks. Developers actually stopped using httpOnly cookies and went for localStorage for a reason. Cookies, httpOnly or not, are very much prone to an attack. They are not prone to an XSS-attack but they are prone to a CSRF-attack. localStorage are not prone to CSRF though. And if XSS does happen then even with well protected cookies an attacker has huge power and still is able to make a lot of damage.

Hi, isn't the refresh token is vulnerable to CSRF attack?

This is amazing

Thanks, man.