You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
3rd-party cookies are becoming increasingly difficult to work with, and Chrome seems intent on killing them entirely if at all possible. Rather than keep working around these issues with cookies, we should switch to a different mechanism. It's a bit more work, but it'll pay off in not having to fight these cookie fires over and over.
This task is done when...
we've picked a different approach
my initial thought is to take the token we're currently putting in the cookie and instead send it back and have subsequent requests put it in the Authorization header, similar to a bearer token
implemented
documentation is updated
The text was updated successfully, but these errors were encountered:
This looks good! I wish I'd known about passport's JWT strategy in the first place! I only have two comments:
We can't turn off sessions entirely. Without a server-side component, we can't satisfy some of the NIST requirements in order to get an Authority to Operate (ATO).
Without a session on the server side, users would log out by throwing away their JWT. However, if a 3rd-party had intercepted their JWT, it would still be valid until it expired. Having server-side sessions allows a complete logout. (AC-12). We manage this now by putting the session ID into the JWT and using the session ID to look up the user ID. On logout, we remove the session ID from the database.
We can't allow administrators to forcibly log users out. (I think there's a NIST control for this, but I can't find it now... maybe I'm just dreaming. 🤷♂)
I think I'd lean towards storing the token in local storage rather than Redux since, presumably, only the API wrapper would ever need it. But that's just a gut response.
3rd-party cookies are becoming increasingly difficult to work with, and Chrome seems intent on killing them entirely if at all possible. Rather than keep working around these issues with cookies, we should switch to a different mechanism. It's a bit more work, but it'll pay off in not having to fight these cookie fires over and over.
This task is done when...
Authorization
header, similar to a bearer tokenThe text was updated successfully, but these errors were encountered: