New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Web storage and progressive enhancement #47
Comments
Another _GREAT_ Question from the Wizard! 👍 However... So in conclusion: I would add |
is there a specific reason the JWTS stored in local storage should be sent in the headers or is there anything vulnerable/"wrong" about using https://www.npmjs.com/package/node-localstorage? |
@Jbarget are you building a "Universal" that requires you to have access to |
@nelsonic we'll probably end up setting it in the headers of each request, thanks for the clarity! |
@Jbarget do you have an objection to storing the JWT in a cookie? (it simplifies your life...) |
@nelsonic no objection, am i right in thinking it simplifies my life by being able to access the cookies from anywhere in the app as opposed to local/session storage? |
It simplifies your app because once the cookie is set by the server, all requests sent/received will always contain the cookie. which means you never need to think about it after that point. |
Not necessarily though this depends on your toolset. Angular for example allows you to set this once .. i think you can even do with jquery easily.
Another issue with cookies as transport layer for tokens is you are using 2 timeouts and you don't get the benefit of avoiding CORS issues. Cookies complicate access to RESTful web services. Is much easier to construct a curl one liner to access a resource with a token than bundling in a cookie. |
This is issue is being automatically closed as it's more than a year old. Please feel free to reopen it if it's still relevant to your project. |
In #5, #46 and most discussions online, people seem to default to using local storage / session storage for JWTs, rather than in a cookie. This requires using AJAX throughout the app so that the header can be set from web storage each time. My understanding is that this to prevent cross-site request forgeries (and is essentially leveraging the same-origin policy to do this).
How does this fit with progressive enhancement, where some devices will not support javascript at all?
The text was updated successfully, but these errors were encountered: