How to persist bearer token on client side

Question

I'm trying to get my head around claims based authentication in ASP.NET Web API 2. In my application I use the VS 2013 template, which implements OAuth 2.0 and uses bearer token (JWT as I remember). My question is - what is the best way to persist token on the client side. In his book Badrinarayanan Lakshmiraghavan describes bearer token as

A bearer token is like cash: finders, keepers.

Therefore, is it safe to save it to a cookie? Doesn't it mean that whoever will steal the cookie will get full access to the application? On the other hand I could encrypt the token using hash just before saving it to the cookie. Would it be safe enough? Are there any other alternatives? I've seen few questions asking similar question on stackoverflow, but have never found satisfying answer.

Answer 1

is it safe to save it to a cookie?

No. Cookies can be stolen via XSS attacks (and other vectors) Also, this might be susceptible to CSRF since a cookie will be submitted automatically with any request.

I could encrypt the token using hash just before saving it to the cookie

This will also not work. Hashing is not a secure way to encrypt (and moreover does not allow decryption)

Are there any other alternatives?

Basically, you should give the token to the user over a secured connection (HTTPS) but they should manually submit it for security (again over HTTPS)