For storing auth-related information, such as JWTs or session identifiers both local storage and cookies in the browser are common options.
Cookie advantages:
- Will be send to the server in every request
- More in-built options, for automatic expiration etc, security by httpOnly etc.
Cookie disadvantages:
- Vulnerable to CSFR
- Are send by default, thus providing security, e. g. by HTTPS enforcing is necessary to secure secrets
Local Storage advantages:
Local Storage disadvantages:
- JS can read all the sensitive information in the local storage
- Vulnerable to XSS
- the relevant token (Session ID, or JWT) isn’t send automatically. Thus, the client needs to set the information manually in requests to the server. For JWT:
Authorization: Bearer <jwt-here>