Reputation: 1986
jwt served via httponly cookie with someway to find out is-logged-in
While building a javascript SPA (single page application) I need to display some pages differently based on if the user is logged in or not.
Auth is handled by JWT which is served via httpOnly cookie and secure headers.
That leaves cookie not accessible from the SPA javascript and that in turn means I don't know if the user is logged in or not.
I did check some posts on how to solve this problem and found some suggestions like
send another cookie which is not httpOnly with some flag like session ID or user ID with expiry date and in the client side JS, use that cookie to see if the user is authenticated.
create an endpoint on API server, something like
/is-logged-inand make a http call from JS to check if the user is authenticated or not before displaying the page.store JWT locally without cookies (obviously a no go due to the security reasons and the amount of code I will have to write to mitigate all kinds of possible stealing attacks)
I am late to the SPA party but I am sure this has to be a long solved problem. I am unable to see something obvious I guess.
Please point me to the right direction.
For completeness, here are some unanswered, semi answered related posts
- Send a GET request on page load only if user is logged in
- How to find out if user is logged in having httpOnly JWT token cookie?
- JWT in httpOnly cookie - AuthGuard and protected routes (Node.js, Angular)
- http-only cookie + token : double job?
Upvotes: 18
Views: 4435
Answers (2)
Reputation: 1
Actually yes i use rtk Query and send the response data to the localStorage
const initialState = {
userInfo:
typeof window !== "undefined" && localStorage.getItem("userInfo")
? JSON.parse(localStorage.getItem("userInfo") || "{}")
: null,
} as AuthState;
// #5
const authSlice = createSlice({
name: "auth",
initialState,
reducers: {
setCredentials: (state, action) => {
state.userInfo = action.payload;
localStorage.setItem("userInfo", JSON.stringify(action.payload));
},
logout: (state) => {
state.userInfo = null;
localStorage.removeItem("userInfo");
},
},
});
export const { setCredentials, logout } = authSlice.actions;
export default authSlice.reducer;
Upvotes: -1
Reputation: 728
You have basically two choices:
Save that the user is logged in with a second non-http cookie that expires
Pros
- No addition HTTP request required
- No latency before you know if the user is logged in
Cons
- You need to keep the expiration and renewal of both cookies in sync
- If your cookies are not in sync anymore because of an edge case, you will need to detect it and act accordingly
Use an HTTP request that will tell you if the user is logged in or not
Pros
- Less error prone
- No need to change the backend
Cons
- You still need to detect if the user is no longer logged in while the user is using the app
Upvotes: 11
Related Questions
- Using JWT stored in HTTPonly & secure cookie: Vulnerable to CSRF. but not to XSS?
- JWT / Session Cookie Authentication Hybrid
- JWT using signed-cookies to access JWT token from front-end
- How can I validate a JWT passed via cookies?
- How to store JWTs in HttpOnly Cookies?
- HTTP API Gateway JWT Authorizer to take identity source from cookie
- Store/validate JWT token stored in HttpOnly cookie in .net core api
- Verify JWT on browser
- httpOnly cookies are visible
- Authentication with JWT