Save Access Token

Asked

Viewed 416 times

1

I’m designing a simple login architecture and I’m in doubt where to save the User Access Token.

The system will be developed in SPA using Angularjs and the server will be a REST API not yet defined. When the user logs into the system, he will receive a key that will be his Access Token for him to do any other operation on the system.

My question is how to store this token in the client side. Cookie is an option, but it does not seem safe, since it is very simple to open a Cookie and see the Token, I also thought to store in webstorage but I do not know if it is a good idea too.

Is there any pattern to this situation?

1 answer

1

There is no standard, and most of the time you will find applications storing through cookies, but the use of HTML 5 Web Storage is also often used.

What you have to keep in mind is that if you choose to use cookies, you will have to take precautions against CSRF and for this is usually used an additional token for synchronization.

Some web frameworks offer an easy way to protect against CSRF and automatically add a sync token to your UI (ASP.NET MVC for example)but by using Angularjs you will be writing your own UI and will have to encode in Javascript a solution to manage this sync token.

That is, in this case, because you are using Angularjs, you could be choosing HTML 5 Web Storage to worry about a token less.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.