This repository has been archived by the owner on May 26, 2020. It is now read-only.
How to use this library by only using Http Only Cookie? #482
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
After using JWT token in un unsafe way for a little over an year I've finally decided that I would like to fix my current setup.
I read everywhere that is not good to save a JWT token in the local client and that is best to use Http Only Cookie.
I'm now trying to use JWT_AUTH_COOKIE in order to create an Http Only Cookie.
I'm getting the Cookie correctly returned by the server when using getToken API. What I'm wondering now, is how I can refresh the token.
What happens when I call refreshToken I get the following response:
True, I'm not sending any token in the request's HEADER and that is what I want since the client isn't supposed to keep it saved anywhere.
And that is where I'm getting confused:
If i'm not wrong from now on every request the client does to the server, the cookie should be added to the request.
Shouldn't the server check the cookie after it sees that no token has been passed in the Header?
The text was updated successfully, but these errors were encountered: