Storing tokens in a HTTP-only cookie #213
-
|
Hello , |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 1 reply
-
|
Hey, @amirsoofali, thanks for opening this issue! Honestly, I'd love nothing more than to add this layer of security to the library and further protect users from XSS-attacks. However, due to the nature of the PKCE-flow (for which this library exists), I don't think it would work. This is only a React-library, and it does not do anything directly with the server. And to set a HTTP-only cookie, you need to make a server request and have the server do that in its response. See this bit on MDN about HTTP-only cookies. In short, it's impossible (by design) to set/overwrite/edit HTTP-only cookies in javascript, and since this is a React/JS-library, I'm sad to say there isn't much for us to do about it. I'm very open to ideas, however, so if you have any specific ideas on how we could get around this, we're all ears. |
Beta Was this translation helpful? Give feedback.
-
|
What @sebastianvitterso is saying is 100% right. |
Beta Was this translation helpful? Give feedback.
-
|
Hi again, I understand that your library is for React and that JavaScript cannot set HTTP-only cookies. However, I was referring to setting cookie attributes via the server response. If the server sets the cookie in its response and the client includes withCredentials in requests, the cookie should be accessible for authentication purposes. After considering this, I realize that this scenario may be unique to my use case and could be complex to implement on your end. Nevertheless, I truly appreciate your response and wish you success in your future endeavors. |
Beta Was this translation helpful? Give feedback.
What @sebastianvitterso is saying is 100% right.
Tokens in cookies is a "server-solution". You can search for any plugins for what ever webserver framework you are using. Or this project might cover your needs: https://github.com/oauth2-proxy/oauth2-proxy