ASP.NET Core: JWT and Refresh Token with HttpOnly Cookies

Where should I put my token and other values ?

HttpOnly and SameSite

Only the cookies without HttpOnly flag are accessible from client-side script. Therefore, you just making things hard for the other people. Also, you will be avoided from XSS and XSRF attacks with HttpOnly and SameSite=Strict properties.

How should I send the token ?

Other storages are accessible from the client-side hence you just write an interceptor and write the token into Authorization Header. After that the server-side handles the authentication.

Note: If your Authentication Server is separated from your website. You can change the SameSite property on cookies. After that XMLHttpRequest or Axios with withCredentials property will do the work.

Refresh Token

JWT Token should have a short lifetime. In that case, you should empower your configurations with the refresh token. The definition as follows


Tokens are not completely safe, but we can increase the security with couple of measures. So cookies are a very well storage for the tokens. And, refresh token will prevent the user from re-login. You can reach the source code from Github.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store