how we use jwt token in cookies?

@@imnishantsharma it's exactly the same. Create token and wrap it inside cookie as I showed in the video

@@RahulAhire okay i got it. Thanks

but what if it's diffrent then how I would access it? do I have to buy subdomain?

@@anshulghogre4 subdomain are free they don't cost anything additional. Watch this - kzbin.info/www/bejne/n3XXpp-br6iMicU

Thanks Adrian for your feedback. I'm glad that his was helpful and did worked for you.

Learning new things is always bit challenging and I can relate with you. I hope this video proved to be helpful for you. Thanks for watching this video and especially leaving your feedback here - highly appreciated.

Thankyou Joseph Really means a lot to me. This was something that too messed with my mind for 7 days. I hope it answered all your queries.

That's great. Thanks for your efforts, the open source spirit runs because of guys like you which makes our life easy.

I don't know what to say but thanks for your appreciation. Really means a lot 👊.

Thanks Stanley ❤️. I'm glad I could helped you indirectly with this video..

Thanks for coming up here, I'm glad to know that it helped you. Even I had spent many days to understand this and it's good to see it's helping many people to cut their learning time.

Thanks Ben for waiting by and watching the video. I do have another video on actually using jwt with httpOnly cookie check this out : kzbin.info/www/bejne/iJOTZpylgbJ3qq8

I'm happy you liked it

Thanks for the feedback, glad to hear that it worked for *your requirement.

Thanks Daniel 🙏 I hope it helps you in your project.

@@RahulAhire Clear, concise and simple to understand. I never got confused about anything in this video and it has really helped me in my current project. Just earned a subscriber!

I'm grateful that it worked for you.

That's great, happy to hear that.

Thanks for the appreciation, I'm glad it helped you

I'm really happy that you find it useful..

I'm glad it's helping you. Keep creating 💥 Thanks for watching this video.

How can I help you?

Thanks Aakash for you kind words, really appreciate it. I've been working on a project that's taking some time so I couldn't be consistent but I'll surely try to get on track. The new video should come out today and that's about money and tech. It'll will be part 1 of 3 video of my blockchain series. I think it'll be the same what you're hinting. I take the later part into consideration for my future video for sure.

Thanks Timotius 👍🏻

Thanks Ejaz, good to hear that it worked for you.

Thanks Yash, I appreciate your comment.

Thanks for the feedback, good to hear that it helped you.

Thanks Nishad, I'm glad I could help you.

Thanks Vinu for kind words. I'm glad you found it useful. By the way I do have a tutorial based on it. You can check it right here : kzbin.info/www/bejne/iJOTZpylgbJ3qq8 Tldr, it's 2 hrs long. So, if you want, you could directly skip for code in GitHub repo. One more thing that I didn't mentioned in this video that if you're working on prod/deployment environment then in order to make httponly cookie work make sure the base domain of API and frontend are the same eg. Google.com, fb.com, etc. Rest for samesite and cors, you can choose whatever subdomain as you like to keep frontend and API seperate. I hope this clears up...

@@RahulAhire thanks man

It's an vscode extension - power mode

@@RahulAhire thanks you

I'm really happy that my effort seemed useful for you. Thanks for feedback, I really appreciate it..

Thanks Darshan for your words, really means a lot.. I really appreciate that you watched it and expressed your feedback. Hussain is really great in explaining and he's the only one right now who's explained actually deep topic used in production environment. Again thanks for subbing ❤️

That's something new for me. Thanks - really appreciate it.

Thanks Coolemur, highly appreciated 🔥

I'm glad to know you're upgrading the security of your website. The developer's frustration is mutual 🙌🏻

@@RahulAhire exactly! 4 days of trying to fIgure something that can be done in 1min. In nextjs was slightly different but easier with the cookie module.

Thanks Riki, I'm glad to hear that it helped you. More such videos are surely coming up

@@RahulAhire but how to access in react when httpOnly is true? i want to send my token to server to validate token

You'll need a fake token with a jwt token to know the expiry of the token. You can see my SMS OTP video where I have demonstrated this but if you want a quick demo then check this dev.to blog : dev.to/petrussola/today-s-rabbit-hole-jwts-in-httponly-cookies-csrf-tokens-secrets-more-1jbp

@@RahulAhire ooh, i see. u save my time. thanks a lot.

Sorry for late response. Do you have any suggestions that I can improve upon? I'd love to hear about it. For accent, I'm sorry I can't change it even if I want to.

@@RahulAhire Your English is easy to understand do not worry about it :) As for tips, maybe get a better webcam, your current one looks a bit grainy, or better yet when you are explaining something, instead of recording yourself, draw the concept on a whiteboard (virtual) and show yourself in a corner of the video, something like this: kzbin.info/www/bejne/qoG8m2ace696oM0 (an example).

Can you please elaborate on what exactly are you trying to do?

Thanks Ajith, I'm glad that you find it useful.

Well it depends on how you deploy your micro services but fundamental are still the same. You can have unique subdomain for each bff and set the httpcookie to LAX.

Yeah even I realized that later. I'll make sure it won't happen from now onwards. I think it happens if I'm not sure what to speak next or my mind just goes blank for a blink of eye. But yeah from next time I'll be more prepared and aware in giving my presentation. Thanks for pointing that out 😊

@@RahulAhire great content man , your content is exactly what I need now 😂 Watched you Aws lamda export.handler video. Great work 👍👍

Thanks @@ruthvik_4737, I really appreciate your kind words. Between let me know if there was the problem of speaking too many "as well" in my lambda video. If it's there I'll sort it out in the next one

@@RahulAhire Can we use httpOnly cookie to implement "KEEP ME LOGGED IN" feature on website ?

@@RahulAhire Just refer to this thread and share you views please stackoverflow.com/questions/1354999/keep-me-logged-in-the-best-approach

aslo i want to thank you, you helped me to understand alot, i solve some of my proplems with cookies, i watched alot of different videos but they wasnt as helpful, all i want to say i got same resoults using react, proxy and fetch

@@vladosononame6376 you learnt to bake http cookie and will use it to make your app more robust, that's what I want from all. Thanks for coming by.. Glad I could share something...

@@RahulAhire thank you, you are beautiful person, im subscribing

@@vladosononame6376 🙏🏻

@@RahulAhire 🙏🏻

Me alegro de poder compartir algo valioso. Gracias por venir y ver este video.

Thanks nien for watching this video. I'm happy that you find it helpful...

Thanks 👍🏻

Anything wrong about me or factual errors? I'd love to know more about it to improve upon it.

@@RahulAhire All right. That's what I was looking for

@@nalcapital I didn't got what you want, could you please elaborate??

Create a fake dummy token with no httpOnly but with same expiry For more information : dev.to/petrussola/today-s-rabbit-hole-jwts-in-httponly-cookies-csrf-tokens-secrets-more-1jbp

Disabling these "flags" in chrome helped. But the cookie still disappears upon refresh. Cookies without SameSite must be secure Enable removing SameSite=None cookies SameSite by default cookies

Have you setup cors correctly?

@@FrTormod are you trying to use httpOnly and samesite to none? If that's the case then actually it's contradicting the purpose Checkout here to know more about samesite: developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite Ideally you should only use lax or strict in samesite

Good to hear that

Thanks hrutvik 👍🏻

Atleast that's what the theory says so it should work. Edit: you should set the cors to the domain name of react frontend and you don't need to deploy your react in heroku. It can be anywhere eg. Cloudflare or netlify.

@@RahulAhire thanks 👍👍 was searching about this for quite some time now!! But if i host my frontend and backend on the same domain then what will be the value of origin or is it that because the domain is same for both server and frontend i will not get a cors error?

If I'm assuming you're running react within express then set the cors to the localhost of the machine otherwise try the previous one which I suggested.

@@RahulAhire thanks !! Got everything working now . The first method worked for me.

@@haha7836hahah great 👍🏻

I'm glad you find it useful..

Thanks

Good 👍🏻, I hope it helps you to build secure apps.

Oh thanks..

Thanks 🙏🏻

I didn't quite got your question? Can you please elaborate more on what would you like to know more about local storage?

@@RahulAhire you gave example for session storage with KZbin speed running from 2x to normal 1x on change of tab in chrome.... Similarly what is the example for local storage usage?

@@sourabhkulkarni1731 session and local storage are almost same only the difference being if you want to store any value for longer you can use local storage for it. If you have theme switcher then most site uses local storage to remember whether you chose dark or light mode and there can be numerous examples for it.

@@RahulAhire Thanks for answering.

Please see my pinned comment. You should have a common root domain for your backend and frontend app in order to get the http cookies

Yes you can, it's local to you. If you own a key to your house it doesn't mean you've broke into house. It's still accessible to yourself. The whole reason of http cookie is it cannot be accessed by javascript XSS attack. That's why it's secure.

To know the whether isAuthenticated is true or false create a exact dummy access token without any JWT token as a value. Like true or false. Here's an detailed article about checking authentication for private routes : dev.to/petrussola/today-s-rabbit-hole-jwts-in-httponly-cookies-csrf-tokens-secrets-more-1jbp and also my GitHub repo for code sample github.com/MeRahulAhire/React-Node-Passwordless-Auth/blob/a251fcc21b76d4136ad62ac8430077240c5b3b7f/server.js#L66 also see the auth.js file in my repo for the usage of fake access token with same expiry date

Sure no worries 🙂

@@RahulAhire hey it worked.thanks man. My four day struggle just gone thank you so much❤️❤️❤️. now another problem is how it remebers the cookies if i open the same link in another tab

@@bunnybloods768 I can relate with you. Even this video took me a week of hit and trial. I don't know what you are making but for that second part, you can use websockets

@@RahulAhire i making a login auth with jwt, when the user successful logs in its send a jwt as a token, so if the user open another tab, it should remembers the cookies and logs in directly without asking any log in credentials

@@bunnybloods768 that's easy. See this article dev.to/petrussola/today-s-rabbit-hole-jwts-in-httponly-cookies-csrf-tokens-secrets-more-1jbp or I have a video on otp based login on my channel, feel free to watch it.

Kafi rich complement 😂, Thanks for watching. I'm glad you liked it. Between there are indeed new channel that are rising which does have unique perspective that we all need in software. You can also search for them.

In production, have a common base domain for eg. the frontend is google.com and the backend might be api.google.com and rest all the principles follows the same as I've shown in the video. How to send them? - if you are using axios then use the with credentials settings to attach the http cookie on each request you send to the server. flaviocopes.com/axios-credentials/ Edit - you're right http cookie are not accessible by javascript. You can still view them in cookie tab in dev tools only for yourself just like how you own the keys of your home.

Thanks for the reply, I think my problem is that I'm using amplify authenticator which gives the tokens to the client and I can't create them server side as this library is client side only.

@@daviddoyle7580 well see if you can send those token from backend sort of proxy via set cookie method. Other than that, I don't know how cognito specifically works so can't tell anything about it.

@@RahulAhire Thanks for the reply, I think the tokens should just always be received initally on the serverside for safety, I dont even understand why AWS made this Amplify client side library in such a way that its xss vulnerable.

You are contradicting the purpose of http cookie by doing so. http cookie says you cant access me. But, the sameSite: none says use me as you want and I showed in the video that if there's any contradicting pattern, browser will not accept the cookie. Either you can make your sameSite to Lax if you're using sub domains or disable http cookie (which I don't suggest in case of storing credential) if you aren't storing any critical data.

As a backend you'll need express to work with http cookie

Then you can try indexeddb but I don't know about it's security.

To prevent CSRF (cross side request forgery) you need to implement an anti CSRF token that's generated from server to identify the client and confirm that it isn't malicious user. In case of httpOnly cookie I'm not sure whether we need this or not but I've personally not worked with it so can't tell you how it's implementation looks like You can check this out blog.rahulbhutani.com/how-to-implement-csrf-tokens-in-express-node-js/

httpcookie requires samesite:true I think you should check that config and let me know what happens.

@@RahulAhire I did set the value for samesite when set cookie I set it sameSite:'strict' also want to mention that it is working on localhost but when i do same thing on heroku on my node app It doesnt set cookie in browser but i am getting it in response and front end app is on localhost:3000

anyone who is facing the same issue, as secure isn't visible on live, so it wasn't being shown in tab(application->cookies) also check that origin and credentials check.

I've explained that in this video. Please do watch the demo part.

Http cookie are generally used to store jwt and credentials but I'm not sure why you want to do that but anyway one way is to send the blank request to server with with credentials property and get cookie as a json response from server.

Unless you are using http cookie, you can only use those cookie across subdomain not cross domain. In that case you'll need backend to send to both different site.

Can you please elaborate your question, I didn't understood it.

That's super simple. While creating jwt token, you're essentially writing some details or payload while encoding it. During verification all you need to do *is to decode the information with the private key. More info : www.npmjs.com/package/jwt-decode

@@RahulAhire Thank you so much for the fast reply. Yes we can decode the token to get details we encoded. But how to get the token that we received through axios request. Here's what I'm trying to do is, I'm setting the token in http only cookie after login. Now I want to verify the token and I have tokens of couple of users in my cookies but I need that token which was currently sent through axios to verify and authorize the specific user. Please reply again.

@@nikhilthadani4131 use withcredential property to attach the token with every request flaviocopes.com/axios-credentials If you are using httponly cookie make sure you've set the cors correctly and during deployment the url(root domain) of frontend and backend should remain the same, subdomain can be anything.

I didn't got what you meant to say.

I'm assuming by private routes is you want to it in frontend framework like react and next or any other as with backend, without any jwt token the private route api won't respond. So what you can do it when sending a http cookie that contains jwt token, also send an additional cookie which isn't http and has same expiration timestamp as the http ones. Now call that non-http cookie with javascript to check if it exists. By knowing it's existence, you can also define the existence of http cookie indirectly. Now if are paranoid about what if it doesn't work then you can always fire that cookie on a specific API route that just validates the https and send the JSON response whether it's true or false, valid or invalid, etc. Based on any above mentioned two methods you can implement conditional rendering to open the private routes. I hope this clears up. If you have any questions please let me know...

@@RahulAhire Thank You very much, I understood both of the solutions. Regarding the first solution, the hacker can have access to the non-http cookie, and because everything depends to that non-http cookie, then the hacker can have access to the protected routes. Am I right ?

@@trodoumanian5135 what do you mean by private routes? Is it on frontend or backend? First of all as safety measures you *shouldn't write the jwt token or session cookie into non-http cookie. Just give name and value as cookiePresent=true/false with some additional details as required for your application. And yeah specify CORS correctly. Modern browser are smart enough to prevent XSS attack by default so you don't need to worry about it. But do make sure on backend that you're verifying the input data before it gets nears to DB.

@@RahulAhire first of all Thank you very much for your collaboration. On the backend(graphql) I am verifying the data before getting to the DB. Now my problem is with the frontend(react). I am making a chat application, once a user is logged In, he/she will have access to /chatRooms route and hence enter or create a chat room. Now this is my issue: how to give access to the user that is logged In, using http-cookies. Thank you for your time, I really appreciate it.

@@trodoumanian5135 I appreciate all your kind words. 1. How to create private routes in react - please have a look at this video: kzbin.info/www/bejne/aJybf5-be896bas 2. How to verify http Cookie - dev.to/petrussola/today-s-rabbit-hole-jwts-in-httponly-cookies-csrf-tokens-secrets-more-1jbp If you have any confusion in these let me know...