-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use secure cookies as default storage method for Auth #2213
Comments
Hi @ffxsam Thanks for the suggestion/feature-request! |
More info:
|
@manueliglesias Any update on this one? |
any update on this one? |
bump -- just adding my +1 for this feature request. |
I was testing auth.signIn and I noticed it stores everything in localstorage identityid/cognitoidp/accesstoken/id token/refresh token. Why is this? This is not safe at all right or am i mistaken? |
Correct. But you can override it: https://aws-amplify.github.io/docs/js/authentication#manual-setup |
Thanks @ffxsam. I have a followup to this: If i open 3 tabs, sign in using three different users, then signout/close one tab. What do i need to do with amplify to sign that user out only and keep the remaining three users signed in? In addition, if I sign in to the same user three times in three different tabs, does signing out in one tab invalidate the other two tabs? |
What you're asking for is not possible. One tab or four, they're all using the same shared cookies and local storage if it's the same website. Typically you would use a different browser or an incognito/private tab to log in as a different user in a different window. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Closing as secure cookies can be set with a custom storage adapter:
( |
Hello, thank you for aws-amplify. Our dev team loves it. Why is local storage still the default for aws-amplify? Is it just out of convenience? I see we can switch over to cookies, thanks for the links (above) but still wondering why this hasn't been patched, or if it is even necessary. Thanks and have a great day. |
This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs. Looking for a help forum? We recommend joining the Amplify Community Discord server |
I realize this is a breaking change, so maybe reserve this for a major version. Secure cookies are a more secure option than using localStorage.
The text was updated successfully, but these errors were encountered: