-
-
Notifications
You must be signed in to change notification settings - Fork 337
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding a Cookie option to compliment JWT #10
Comments
I always had thought that cookie generation is something that the client does. It's quite interesting to see multiple cookies involved in auth. I have to do a bit research about it as well. I will update you in this thread if I add this to the project. |
Researching this myself as well but am having a lot of trouble finding good sources on it. Frustrating for something that is such a common problem with web APIs. If you find any good resources on it would love to see them. |
Is your feature request related to a problem? Please describe.
Currently, when using an API built like this with a modern front end (e.g. Angular, React, Vue), you need to store the JWT in localStorage or sessionStorage. You can also create a cookie client side, but that comes with risks of its own.
Describe the solution you'd like
Ideally, we'd be able to return an HttpOnly cookie with the JWT to be used that way. As a bonus, I've seen an even more secure method of using cokoies and JWT by hvaing your API use two cookies, one HttpOnly and one client side cookie, both of which would be required to have a valid session.
Describe alternatives you've considered
I'm researching how to add this on my project, but am new to the auth realm, so figured I'd float the idea here since it's a very common need.
The text was updated successfully, but these errors were encountered: