Embedding JWT in cookie


I have a client-side SPA that connects to a server-side API

Currently my authentication scheme saves a JWT in the client’s localstorage, but this is a problem when they navigate across subdomains.

The solution seems to be using cookies instead. I’d like to know whether it’s possible to embed the JWT into a cookie (so I don’t have to rewrite too much logic) and if this is an acceptable practice.

Here’s an article that might help: https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage

At my workplace we store JWT in cookies. For storage mechanisms, cookies and localStorage is quite similar.

Depends if you are ok with changing backend to deal with cookie vs Authorization header (it is considered a good practise to use HttpOnly flag).