0

We are currently making and angular based app. All info comes from an api.

We don't want to store any state on the client side with cookies etc. So when a user refreshes the app, we had planned to call /account/details which will return the user object if logged in, false not.

The trouble is, the security model we have used is that we set an auth-token (returned as part of the user object from the above /account/details or successful /login call) that is sent in the header of any api request.

The api checks that this auth-token sent in the header matches what's in the logged-in-users table and sends back the data if there is a match.

Obviously, the problem is, on refresh we aren't saving anything client side so don't have this auth-token to send any more.

The api, as it's on the same domain sets a php session cookie. We were thinking that for this account/details call only we could match the session cookie value against the logged-in-users table. However this sounds dodgy to us. Would this be ok? Or is there another much simpler way to overcome this chicken and egg situation?

Improve this question
6
  • You say in the second paragraph that “we don't want to store any state on the client side with cookies,” but in the last paragraph you state that “the API […] sets a PHP session cookie.” Are you or aren't you okay with using cookies? Commented Sep 19, 2013 at 2:54
  • We ideally don't want the front end to set any cookies. If it is the best way to go then we can use JS to set the an auth-token cookie. Is there a better way though? Commented Sep 19, 2013 at 3:07
  • Is there any reason you're rolling your own authentication token in a new header rather than just using the PHP session or having the API set a cookie? Commented Sep 19, 2013 at 3:08
  • The only reason is that eventually the API may not run on the same domain in which case it won't be able to set cookies. Right? Talking about it out loud now, I think the only way is to store the auth-token in a cookie. We were originally following this method jamesward.com/2013/05/13/… but have lost our way a bit. :) Commented Sep 19, 2013 at 3:16
  • If the API doesn't run on the same domain, it won't be able to set cookies accessible to your application, but it should be able to set cookies that it itself can access. I do now see that you're trying to protect against CSRF attacks, which does indeed make things trickier… Commented Sep 19, 2013 at 3:20

1 Answer 1

Reset to default
2

You may consider having the application use sessionStorage to store the authentication token. This has the advantages of the cookie you're looking for, but is maintained by JavaScript and is not automatically sent to the server.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

That actually could be a good solution. Will give that a shot. Thankyou.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.