You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I know it looks like a stupid question, usually a bearer token is stored in LocalStorage and send with request which contain the Authorization header field. However recently I read this article:
Above article argue that localStorage shouldn't be used because of XSS attacks and suggests using session cookie(with HttpOnly flag) to store the jwt token. This method seems to be reasonable.
in this case, javascript cannot read the cookie (which contains access_token) since HttpOnly flag is set, hence i cannot append the token in the request authorization header.
So any possible that passport-http-bearer will also read token from session cookie in future?
The text was updated successfully, but these errors were encountered:
@lvbeck I agree with you. I would like to use cookie for storing JWT. There are several benefits.
First it's simpler because browser automatically adds a token to each request.
Second When using social logins to authenticate users (passport-facebook/passport-google) you need to pass new token with redirect response. I know two options how to perform it: add token to query string or add record to cookie. So in this case using cookies is simpler way as well.
It would be very nice to add this feature. I've created a pull request #46
I know it looks like a stupid question, usually a bearer token is stored in LocalStorage and send with request which contain the Authorization header field. However recently I read this article:
https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage
Above article argue that localStorage shouldn't be used because of XSS attacks and suggests using session cookie(with HttpOnly flag) to store the jwt token. This method seems to be reasonable.
in this case, javascript cannot read the cookie (which contains access_token) since HttpOnly flag is set, hence i cannot append the token in the request authorization header.
So any possible that passport-http-bearer will also read token from session cookie in future?
The text was updated successfully, but these errors were encountered: