JWT Cookie #4

matteioo · 2024-02-22T12:40:57Z

The backend needs to return a HttpOnly cookie to handle authentication via a secure way so that the JWT access and refresh tokens are not accessible via XSS. The client then sends the cookie with every subsequent request to the backend, automatically authenticating the requests as long as the JWT is not expired.

bresu · 2024-02-22T14:19:26Z

Will look into this

bresu · 2024-02-22T17:44:07Z

Token pair creation works. How will the token be sent in the subsequent requests? In the form of a header? Need this so I can add it to the security middleware

matteioo · 2024-02-22T17:47:30Z

Due to the nature of HttpOnly cookies, the client is not able to extract the JWT token. Therefore, the token will be sent as a cookie with every request.

bresu · 2024-02-24T20:50:11Z

I think I implemented this correctly, please test so I can close this issue

matteioo · 2025-02-03T16:51:48Z

Cookie currently sent via HTTP header Authorization. Will look into it once the domains for FE + BE are cleared. Domains needed for Cookie context: domain so we can set it to Lax if they share the same domain differing by subdomain.

matteioo added the enhancement label Feb 22, 2024

bresu assigned bresu and matteioo Feb 27, 2024

matteioo added the prio:LOW label Feb 5, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

JWT Cookie #4

JWT Cookie #4

matteioo commented Feb 22, 2024

bresu commented Feb 22, 2024

bresu commented Feb 22, 2024

matteioo commented Feb 22, 2024

bresu commented Feb 24, 2024

matteioo commented Feb 3, 2025

JWT Cookie #4

JWT Cookie #4

Comments

matteioo commented Feb 22, 2024

bresu commented Feb 22, 2024

bresu commented Feb 22, 2024

matteioo commented Feb 22, 2024

bresu commented Feb 24, 2024

matteioo commented Feb 3, 2025