Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

jwt served via httponly cookie with someway to find out is-logged-in

Tags:

javascript

cookies

jwt

While building a javascript SPA (single page application) I need to display some pages differently based on if the user is logged in or not.

Auth is handled by JWT which is served via httpOnly cookie and secure headers.

That leaves cookie not accessible from the SPA javascript and that in turn means I don't know if the user is logged in or not.

I did check some posts on how to solve this problem and found some suggestions like

  • send another cookie which is not httpOnly with some flag like session ID or user ID with expiry date and in the client side JS, use that cookie to see if the user is authenticated.

  • create an endpoint on API server, something like /is-logged-in and make a http call from JS to check if the user is authenticated or not before displaying the page.

  • store JWT locally without cookies (obviously a no go due to the security reasons and the amount of code I will have to write to mitigate all kinds of possible stealing attacks)

I am late to the SPA party but I am sure this has to be a long solved problem. I am unable to see something obvious I guess.

Please point me to the right direction.

For completeness, here are some unanswered, semi answered related posts

like image 649
user728650 Avatar asked Mar 24 '20 04:03

user728650

1 Answers

You have basically two choices:

Save that the user is logged in with a second non-http cookie that expires

Pros

  • No addition HTTP request required
  • No latency before you know if the user is logged in

Cons

  • You need to keep the expiration and renewal of both cookies in sync
  • If your cookies are not in sync anymore because of an edge case, you will need to detect it and act accordingly

Use an HTTP request that will tell you if the user is logged in or not

Pros

  • Less error prone
  • No need to change the backend

Cons

  • You still need to detect if the user is no longer logged in while the user is using the app
like image 170
Benoit Tremblay Avatar answered Nov 08 '22 15:11

Benoit Tremblay
Sign in to Comment

Related questions

How do I correctly capture Materialize-CSS datepicker value in React?
browserify + tsify + babelify; babel gets ignored
How to load web worker using webpack's worker loader
Intersection Observer API: Observe the center of the viewport
How to trigger click on ref in Vue.js
Passing JWT token to SockJS
Jquery Datatable Buttons Not Showing Up On React js
How to output the list of problems that vscode shows when opening a JS file, by using only the terminal:?
Webpack load different modules based on chunk
Dynamically compiling and running a react-native app inside another
How to authenticate and embedded Grafana charts into iframe?
VueJS hook mounted() is not called when page is re-open by vue-router
Configure a TypeScript project with common dependencies to build multiple plain JavaScript output files
Make input range not jump when I hit thumb not exactly in center
REACT-Toastify - Duplicates toasts
How to prevent multiple clicks in Ionic 4 using debouncetime?
Create JavaScript Waveform Visualization With Howler.js
Eslint is working from terminal, but not showing error in the editor UI (VSCode)
Pass object to query on Router.push NextJs
How to install packages in just one package.json file in Yarn workspaces?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!