Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Single page apps: auth token management and browser refreshes

Tags:

javascript

browser

angularjs

single-page-application

api

When working on an Angular app, I have a single page app that communicates with a JSON web service for data.

A "login" in my Angular app is really just exchanging a username/password for a token. That token is passed as a header on all subsequent requests so the server can authorize them. This works great until the users refreshes their browser window of course (via refresh or leaving the "page" and returning).

Obviously one option would be to make the user enter their username/password again, but that seems like a good way to not have any users.

I can think of 4 options:

  1. Store token in a secure session cookie. (What I'm doing now. I am only using so the client can read. Not used or wanted on the server.)
  2. Store token using local storage of some kind. (Would be insecure and require manual expiration maintenance.)
  3. Prevent user from refreshing browser with some "onbeforeunload" code. (I don't like when I get the "are you sure you want to leave this page" messages and I assume others feel the same.)
  4. Include token as part of url. (Could make url's look big and messy. Possible physical security risk. Might make for extra work with bookmarking and expired tokens.)

Is option 1 the best option for this functionality? Is there something better to do than all of these?

like image 559
user605331 Avatar asked Jan 19 '14 15:01

user605331

1 Answers

I think option 1 is the best one for your use case. All major web frameworks have support for this option.

In case you need to handle this manually you need to ensure these steps:

  • The web service will process the initial authentication request by creating and setting a secure authentication cookie. The auth cookie should be time based(only valid for a specific time interval) and its value should be a unique value if possible;
  • After the initial authentication request all subsequent requests will pass the authentication cookie with the request header automatically - this is handled by the browser.
  • The web service needs to handle cookie based authentication on subsequent requests by validating the cookie value and returning an error if the cookie has expired.
  • You need to ensure a client side global authentication handler captures any authentication exceptions and displays a friendly message to the user.
like image 183
Alex Pop Avatar answered Nov 16 '22 02:11

Alex Pop
Sign in to Comment

Related questions

ng-view along with ng-animate executes directive twice
Angular.js and DAO pattern
Setting PhantomJS viewportSize in QUnit test
Dynamically populate up to 3 dropdowns based on previous dropdown selections
Google+ Sign in from Javascript - Invalid Parameter value for origin
Is it possible to retrieve the *full* HTML page source of an iframe with Javascript?
scroll to specific element on page using jquery [duplicate]
Forcing AJAX request to revalidate cache with server, without reloading completely
how to check flash plugin is blocked in Chrome
Data Visualization: Best tools to generate simple charts in PDF with Javascript or Python [closed]
Convert d3.js bubbles into forced/gravity based layout
How to make images sortable in contenteditable div by jQueryUI, jQuery Mobile and touchpunch in iOS?
How does indirect eval work [duplicate]
Grunt jasmine tests fail in terminal but not the browser
Passing form data and file to php using ajax [duplicate]
How to build a no install, client-side only, database web app
gridster, how to auto fit to browser size change?
Converting Fabric.js text to path
Parse JavaScript Date in local time zone
Hiding empty elements on page load, but not afterwards using knockout.js

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!