javascript - Is it bad security to save jwt in cookie to pass it to local storage? -
in order twitter sign in work jwt sessions , angularjs, have created jwt twitter username , display name, passed cookie , saved local storage. here's relevant code:
log in users , save cookie:
app.get('/login/twitter', passport.authenticate('twitter')); app.get('/login/twitter/callback', function(req, res) { passport.authenticate('twitter' , {session: false} , function(err, user, info) { if(err) { console.log(err); } var token; token = user.generatetwitterjwt(); // res.status(200); // res.json({ // "token" : token // }); res.cookie('jwt' , token); res.render('login.jade'); })(req, res); }); save local storage , remove cookie:
$scope.twittertest = function() { var jwtcookie = $cookies.get('jwt'); authenticationservice.savetoken(jwtcookie).error(function() { if(err) { console.log(err); } }).then(function() { $cookies.remove('jwt'); var url = '/profile'; $window.location.href = url; }); } i'm wondering if there drawbacks doing this. security issues? i'm trying use jwt , angularjs save localstorage process because it's how set local login.
you can use browser sessionstorage instead of localstorage, sessionstorage more secure because deleted browser session end. , directly store in sessionstorage instead of cookie, cookie not required in case.
Comments
Post a Comment