Reputation: 9587
Angular.js app - api secruity
We are currently making and angular based app. All info comes from an api.
We don't want to store any state on the client side with cookies etc. So when a user refreshes the app, we had planned to call /account/details which will return the user object if logged in, false not.
The trouble is, the security model we have used is that we set an auth-token (returned as part of the user object from the above /account/details or successful /login call) that is sent in the header of any api request.
The api checks that this auth-token sent in the header matches what's in the logged-in-users table and sends back the data if there is a match.
Obviously, the problem is, on refresh we aren't saving anything client side so don't have this auth-token to send any more.
The api, as it's on the same domain sets a php session cookie. We were thinking that for this account/details call only we could match the session cookie value against the logged-in-users table. However this sounds dodgy to us. Would this be ok? Or is there another much simpler way to overcome this chicken and egg situation?
Upvotes: 0
Views: 164
Answers (1)
Reputation: 128993
You may consider having the application use sessionStorage to store the authentication token. This has the advantages of the cookie you're looking for, but is maintained by JavaScript and is not automatically sent to the server.
Upvotes: 2
Related Questions
- Securing API in Angular 2.x apps
- AngularJs php rest API secured communication
- API security against frontend
- Angular app protection and user authentication
- Security of AngularJS applications
- How to secure my AngularJS and Web Api application
- How to secure an AngularJS application that does not use authentication?
- Angular JS security best practice
- Authentication API for Angular.js App
- Angular REST API security