Save access token

1

I am designing a simple login architecture and am in doubt of where to save the user access token.

The system will be developed in SPA using AngularJS and the server will be a REST API not yet defined. When the user logs on to the system, he will receive a key that will be his access token to do any other operation on the system.

My question is how to store this token on the client side. Cookie is an option, but it does not seem safe, since it is very simple to open a Cookie and see the Token, I also thought to save in webstorage but I do not know if it is a good idea too.

Is there a pattern for this situation?

    
asked by anonymous 06.02.2016 / 21:47

1 answer

1

There is no default, and most of the time you'll find applications doing storage via cookies, but using HTML 5 Web Storage is also often used.

What you have to keep in mind is that if you choose to use cookies, you will have to guard against CSRF and for this an additional token is usually used for synchronization.

Some web frameworks provide an easy way to protect against CSRF and automatically add a synchronization token to your UI (ASP.NET MVC for example), but when using AngularJS you will be writing your own UI and will have to code in JavaScript a solution to manage this synchronization token.

That is, in this case, because you are using AngularJS, you could be choosing HTML 5 Web Storage to worry about a token less.

    
06.02.2016 / 22:44