Hi, I have been working with web applications for a while, some months ago I found a possible approach to get the security advantages from Browsers while using cookies for authenticating requests (probably better to call it session-based) with the stateless advantages of JSON-Web-Tokens (JWT). I'm looking for possible vulnerabilities to this approach.<p>It is well-known that cookie-based authentication can be secure against XSS but introduces the complexity of CSRF, also, JWT is handy unless you need to invalidate tokens (XSS is a problem too) .<p>Consider the following approach:<p>- When logging in, the user receives a JWT that has a very short validity period (like 3 minutes).<p>- After logging in, the user also receives a cookie that allows to renew the JWT.<p>- The user keeps calling the server attaching the JWT (the cookie is attached by the browser), the server authenticates the requests using this token.<p>- When the server gets a expired token, it loads the session from the cookie and returns a new JWT (or the request is rejected and the user renews the token with another request), then, the original request is retried with a valid token.<p>This approach gives some advantages:<p>- Token invalidation, if the JWT is ever compromised, it lives for a very short period of time.<p>- CSRF protection, on a successful CSRF attack, the browser gets a new short-lived token without performing any sensitive operation on the server.
- There could be lots of efficient stateless authenticated requests.<p>Any ideas?