Handling authentication in a REST web application

Question

I am using Angular JS as my front end framework and a REST server in back end (Using Spring). My Question is about handling the authentication in such a scenario.

So I have a login screen with email, password and a remember me option. If I check remember me I am storing the username and password in a cookie.

While the page is loaded, if I find remember me cookie, I will login automatically with the details and obtain an auth token and use for the entire session. If I dont have remember me option, I will ask the user to enter username and password to login.

My issue is, If I use a different tab to open a protected page, if I haven't selected remember me option it is asking for login again. But I dont want that behavior. I want to persist the session info for all tabs.

How can I do that?

Answer 1

First, I thing you should not store password in a cookie but instead the token you get from auth. This is safer because you can easily revoke a token when it is complexe to revoke a password.

You should give a look at HTML5 localStorage which seems to do exactly what you need. The only concert is about the fact it will persist even if you close it (like a cookie). Maybe make sure it is deleted when you close the application (using javascript unload)

To make sure you remove localStorage on unload, you should keep track of how many tabs are open, and then only remove the auth on unload of the last tab :). It not last tab, you just decrease your localStorage counter of tabs ... should work, but far from being elegant.

Instead of coding it by yourself, you should use intercom.js which also go a little bit deeper :D