Share via

How Do I Keep JWT Refresh Tokens In Cross-Origin Cookies

Osman Zakir 121 Reputation points
2024-05-13T11:52:03.01+00:00

I have a project where I've built a personal library app using the MERN stack, but the server and client are on different URLs on Render.

I'm storing a JWT refresh token in secure HTTP cookies that have the same-site property set to false. But I read under issues in the Edge browser that cross-origin cookies will be blocked in a future update.

How can I resolve this issue? Is there any way for me to address the privacy concerns and avoid having to remove the cross-origin cookie?

Would PKCE help my issue? I remember reading that some ways people use to store JWT refresh tokens aren't secure. Is PKCE included in those?

Windows for business | Windows Client for IT Pros | User experience | Other
Microsoft Edge | Microsoft Edge development
0 comments
Accepted answer
  1. Anonymous
    2024-05-14T05:37:45.0833333+00:00

    Hi @Osman Zakir ,

    In my opinion, you can take a look at the CHIPS proposal (Cookies Having Independent Partitioned State). The CHIPS proposal offers a new but more limited escape hatch– a developer may opt-in to partitioning their cookie so that it’s no longer a “3rd party cookie”, it’s instead a partitioned cookie. It then workarounds the issue of third-party cookies, which will be blocked in the future.

    CHIPS is now supported by Microsoft Edge.

    For more information, you can refer to this MDN doc.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    Best Regards,

    Shijie Li

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.