Welcome to ShenZhenJia Knowledge Sharing Community for programmer and developer-Open, Learning and Share
menu search
person
editAsk a Question
Welcome To Ask or Share your Answers For Others

Categories

html - Is storing an OAuth token in cookies bad practice?

in Technique[技术] by (71.8m points)

Is storing an OAuth 2 token in cookies bad practice? If so, what are alternatives for a web app?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
thumb_up_alt 0 like thumb_down_alt 0 dislike
472 views
Welcome To Ask or Share your Answers For Others

1 Answer

by (71.8m points)

Whether you can store the access_token in cookies depends on following things:

  1. Is the access_token stored in cookie encrypted or not (it definitely should be)
  2. Access_token is a bearer token so it is not tied to browser flows. Cookies in general are meant for maintaining state in browsers. So if lifecycle of token is same as cookie, go ahead otherwise not. When I say lifecycle, I mean lifespan, etc.
  3. Also, please consider this fact too that access token is not identity token
  4. Access tokens are completely client side, and servers that generally use cookies to maintain sessions, mostly maintain matching server side session as well.

I hope this helps.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
thumb_up_alt 0 like thumb_down_alt 0 dislike
Welcome to ShenZhenJia Knowledge Sharing Community for programmer and developer-Open, Learning and Share

Just Browsing Browsing

548k questions

547k answers

4 comments

86.3k users

Most popular tags

Theme made by Momin Raza, Modified by Ostack
Powered by Question2Answer
...