Answer the question
In order to leave comments, you need to log in
A
A
andrei242018-02-08 22:21:01
andrei24, 2018-02-08 22:21:01
Is it safe to store a Bearer token in a cookie?
Good evening. There is an api with oAuth 2 authorization api.site1.ru and 2 spa applications site1.ru and shop.site1.ru that require a single authorization.
At first there was one site and the token was stored in localstorage, but on the subdomain there is no access to the storage from the main domain.
When the site became 2, they changed it to cookies. The mechanism is as follows:
When registering / logging in, the user is given 2 cookies: auth-cookie, refresh-cookie. Requests are sent from the auth-cookie, if it has expired, a request is made to refresh the token, the refresh-cookie is checked and new ones are issued: auth-cooke and refresh-cookie.
Both cookies come with the following parameters:
minutes: 1 month,
domain: .site1.ru (and subdomains)
secure: true,
httpOnly: false (otherwise there is no way to send requests).
Actually confuses safety and correctness of implementation of the task?
Similar questions
A
H
I
O
E
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question