Migrate JWT tokens from localStorage to HTTP-only cookies

[07SUJITH]

Description

Switch authentication token storage from browser localStorage to HttpOnly, Secure cookies.

Goals

• Prevent XSS attacks from accessing authentication tokens.
• Simplify token management by leveraging browser cookie handling.
• Ensure seamless login, logout, and token refresh flows.

Implementation Details

• Backend:

  • Modify login and refresh endpoints to set accessToken and refreshToken in HttpOnly, Secure, SameSite=Strict cookies with appropriate expiration.
  • Implement logout endpoint to clear authentication cookies.
  • Update server CORS settings to allow credentialed requests and specify cookie domains.

• Frontend:

  • Remove all localStorage.getItem, setItem, and removeItem calls for tokens.
  • Configure HTTP client (Axios/fetch) to include credentials: withCredentials: true.
  • Update authentication service to rely on cookies for token presence; remove manual header insertion.
  • Adapt error handling to detect 401 responses and call refresh endpoint.

Tech Skills Needed

JWT, Security

Mentor(s)

@Jenin82

Complexity

Medium

Category

API