Adding a Cookie option to compliment JWT #10
Comments
|
I always had thought that cookie generation is something that the client does. It's quite interesting to see multiple cookies involved in auth. I have to do a bit research about it as well. I will update you in this thread if I add this to the project. |
|
Researching this myself as well but am having a lot of trouble finding good sources on it. Frustrating for something that is such a common problem with web APIs. If you find any good resources on it would love to see them. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
Currently, when using an API built like this with a modern front end (e.g. Angular, React, Vue), you need to store the JWT in localStorage or sessionStorage. You can also create a cookie client side, but that comes with risks of its own.
Describe the solution you'd like
Ideally, we'd be able to return an HttpOnly cookie with the JWT to be used that way. As a bonus, I've seen an even more secure method of using cokoies and JWT by hvaing your API use two cookies, one HttpOnly and one client side cookie, both of which would be required to have a valid session.
Describe alternatives you've considered
I'm researching how to add this on my project, but am new to the auth realm, so figured I'd float the idea here since it's a very common need.
The text was updated successfully, but these errors were encountered: