Sakina Santiago-Hudson

I have been designing and developing web applications for more than 7 years.

Through these years, I have been seen a lot of authentication mechanisms, some of them are RESTful and others are not. The RESTful services mostly used JSON Web Token (JWT) as an authentication token.

Whenever I implemented JWT-based authentication, I asked myself this question, “Where do we store the JWT?”

Edit: This article is focusing only on browser implementation.

Let’s answer the big question.

We have three options available for storing the data on the client side and each of those has its own advantages and disadvantages. And the options are:

If you set the JWT on cookie, the browser will automatically send the token along with the URL for the Same Site Request. But it is vulnerable to the CSRF.

We can protect the site against CSRF by setting a cookie with SameSite=strict

Edit 1: I̶n̶ ̶g̶e̶n̶e̶r̶a̶l̶ ̶p̶e̶o̶p̶l̶e̶ ̶m̶i̶g̶h̶t̶ ̶t̶h̶i̶n̶k̶,̶ ̶X̶S̶S̶ ̶c̶a̶n̶ ̶b̶e̶ ̶d̶e̶f̶e̶a̶t̶e̶d̶ ̶i̶f̶ ̶w̶e̶ ̶s̶e̶t̶ ̶t̶h̶e̶ ̶h̶t̶t̶p̶O̶n̶l̶y̶ ̶f̶l̶a̶g̶,̶ ̶b̶u̶t̶ ̶i̶t̶ ̶i̶s̶ ̶p̶o̶s̶s̶i̶b̶l̶e̶ ̶t̶o̶ ̶a̶t̶t̶a̶c̶k̶ ̶b̶y̶ ̶u̶s̶i̶n̶g̶ ̶X̶S̶T̶ ̶”̶s̶u̶b̶s̶e̶t̶”̶ ̶(̶k̶i̶n̶d̶a̶)̶ ̶o̶f̶ ̶X̶S̶S̶.̶

Edit 2: We can easily defect the XSS by setting httpOnly flag.

Pros:

Con:

localStorage

The localStorage doesn’t send the data automatically along with the URL. So you need to implement the system for the auth token for every URL. But the best part is that this method is not vulnerable to CSRF.

Pros

Con

Session Storage

Session Storage is pretty much the same as Local Storage, except the token will accessible only one tab, once the tab is closed the session got destroyed. So it not useful for the feature like remember me. But this can be used in the multi-login feature like Tab A is in a different login and Tab B is in different login.

Pros:

Con:

You might notice that all the 3 methods have the same con — “Vulnerable to XSS”. Yes, all these methods are vulnerable to XSS. Please do care about XSS and always follows the best practices for XSS protection.

Both localStorage and SessionStorage are not protected by the XSS by default.

You will be the one person who has ultimate responsibility for the safety and education of hundreds, perhaps thousands, of children.

This takes commitment, personal drive, resilience and integrity.

The newly devised National Professional Qualification for Headship (NPQH) is a Department for Education-accredited programme of national significance and the rather negative message in the recent article ”5 things I didn’t learn in headship training” has rattled the cage of those who provide the NPQH.

In simple terms, the article does not represent those of us who deliver exemplary NPQH programmes as DfE-accredited providers. Not to put too fine a point on it, there is possibly a range of quality in terms of the NPQ programmes as each provider writes and facilitates their own programmes.

However, be reassured that the DfE provides clear learning outcomes that we have to adhere to and there is an independent quality assurance agent in place to ensure quality and consistency across all the providers.

At the Alliance of Leading Learning (ALL), and many other organisations delivering the NPQ programmes, we are genuinely in this to support our school leaders and make a difference.

Those of us providing exemplary professional learning have worked hard to engage school leaders and encourage the new heads of the future to value this as a highly privileged job.

Contrary to the opinion that the NPQH programme had a frustrating lack of useful advice, there are hundreds of our NPQH alumni who directly attribute their promotions to headship to our NPQH programme and reference how practical the programme is.

It could be argued that “one man’s meat is another man’s poison” (as said by Roman poet Lucretius) but articles such as Mr Stanier’s undermine the work we are doing, and there appears to be a lack of understanding of the aims of the NPQH.

This is not a “headteacher in a box” content-driven, operational programme.  It is not aimed at a school leader with only “knowledge of classrooms”. Only those ready for headship within the next 18 months are ordinarily accepted on to the programme.

The NPQH is about developing the leadership skills required of our future exemplary headteachers and creating independent reflective thinkers. The modules are designed to:

The NPQH is also a work-based programme developing leadership in the workplace - learning on the job and doing real leadership work through impact-driven assessment projects.

B Funk Dance Company We provide a professional quality dance education that brings confidence, discipline, and a strong sense of commitment to our dancers

In case you get caught without insurance for the second time then you will be liable to pay a fine of Rs 4000, and imprisonment of up to 3 months is also possible under the discretion of law.

It is the best source of employment. Animals that provide milk can be raised and managed with a good income to support a family. Animals that help in labor such as draught animals are used in agricultural work. The waste generated from these animals can be used as natural manure to maintain soil fertility.