-
-
Notifications
You must be signed in to change notification settings - Fork 211
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Storing the authentication token in an HTTP-only cookie on the server side #269
Comments
I can answer (2) and (3):
Now for (1) Hope this helps :) I keep telling myself I'll find some time for this project soon, others are doing a great job of maintaining it in the meantime though :) |
I would love to see this solution implemented as well. It would be very useful! |
I would really like to challenge how useful this would be? |
Apparently I wasn't thinking when I wrote the answer last time, because I agree with @johnraz - Django already has Session auth if I remember correctly, what is the benefit of adding it to this package? |
Hey guys! Thank you for the quick replies. You make a good point, I had gone down the rabbit hole of figuring out what the best way to secure our client side token was and didn't realize I was just replicating the same authentication flow of simply using sessions. So as you suggested rather than hosting our front end and back end on different domains and sharing cookies we'll host on a subdomain. I hope other people see your answer as I'm finding a lot of other developers attempting to replicate what I was doing. Thank you so much! |
@James1345 I think we should close this issue and the related PR to make the decision of not doing this kinda final. |
It seems that storing authentication tokens in HTTP-only cookies is the most secure way of attaching the token to requests. As far as I understand, even if the frontend and backend are served from separate domains, CORS rules can be implemented to allow the cookies.
So, I have a few questions surrounding the option of storing the auth token in an HTTP-only cookie on the server side via KNOX:
The text was updated successfully, but these errors were encountered: