Consider supporting httpOnly cookie for storing token

Question

Consider supporting httpOnly cookie for storing token

gregoryagu opened this issue 6 years ago · 3 comments

gregoryagu commented 6 years ago

I am no security expert.

But I am told that using an httpOnly cookie is more secure than localStorage.

See also this

Thoughts?

Answer 1 · 2018-05-27T05:14:22.000Z

The server set tHr cookie and isn.t the point that client side scripts cannot access it? As i understood it, everything here is as usual. Additionally, the cookie is set by the server when requesting your token. Then, when eg refreshing the server additionally checks that cookie. There is nothing to do on the client side. It.s all server side

Answer 2 · 2018-05-27T16:05:19.000Z

Yes, you are correct - it is primary a server side thing.

However, there is one configuration item to be done on the client in order to get the cookie to be sent to the server with each request:

The fetch client needs to have credentials: 'include', set. When I use the fetch client, I do this:

this.httpClient.configure((config: any) => {
			config
				.withDefaults({
					credentials: 'include',
					headers: {
						"Authorization": bearerToken
					}
				});
		});

But how do I configure the instance of the fetch client that Aurelia-orm is using?

Answer 3 · 2018-05-27T16:22:29.000Z

Ok, I found how to do this:

.plugin(PLATFORM.moduleName('aurelia-api'),
        config => {
            config
                .registerEndpoint('protected-api', ServiceConfig.serviceName, {credentials:'include'})
		})