Where should i store token on the client

Question

I have a slight problem understanding where i should store my token (client side). So it is sent every time i change page on the server.

     @Override
    public User getValue(HttpContext c) {
      // This is where the credentials are extracted from the request
      final String header = c.getRequest().getHeaderValue(CUSTOM_HEADER);
      try {
        if (header != null) {
          final Optional<User> result = authenticator.authenticate(new Credentials(header,"",""));
          if (result.isPresent()) {
            return result.get();
          }
        }
      } catch (AuthenticationException e) {
        throw new WebApplicationException(Response.Status.UNAUTHORIZED);
      }

      if (required) {
        throw new WebApplicationException(Response.Status.UNAUTHORIZED);
      }

      System.out.println("NO TOKEN RETURNING NULL");

      return null;
    }
  }

This is how my authentication looks like in dropwizard. I need the token to be sent with the HttpContext.

So if i try to go into adress/securedpage. Then the HttpContext should have this token. So the server knows if the user is authorized to access or not

So after a successful login from the clientside. Where should i put the token that is received from the server?

Wouldn't it be better if a DB server from your side holds the session tokens with the timers and what not? — Jared Teng, Mar 04 '15 at 13:59
im pretty new to authentication. So im still trying to learn. The server is storing the token (or i am going to store is as fast as i get the client side going). But my guess is that the client needs to send it so the server know what client wants what. — Jemil Riahi, Mar 04 '15 at 14:03
http://stackoverflow.com/questions/3804209/what-are-sessions-how-do-they-work to know more.... — Jared Teng, Mar 04 '15 at 14:05
The problem i have mostly is with the clientside. I do not know how i should store the data i get from the server. So if i store it in a http header. How would it work if i in the adress field on the browser. I type in the adress i want to go to? Would the header still be there? — Jemil Riahi, Mar 04 '15 at 14:13
It looks like you're implementing stateless RESTful service, therefore the client needs to store the token, and send it each time. @Daniel and JaredT are leading you towards the stateful/session solution. Just to clear things up. Your question and the code sample is focusing on the server side, while the actual question is about the client side. It's better if you could put some client-side code, as well as the context (using any specific libraries/framework?). From the tags I can see it's javascript so you probably should look for browser storage options. — Natan, Mar 14 '15 at 23:23

score 3 · Answer 1 · edited Sep 10 '19 at 13:42

You have many options. This is a good link to understand pros and cons https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage/

Store it in local browser storage. As described in the previous link it has some risks.
Store it in a cookie in client side, it can be safer than local browser storage.
Don't store the token but store username and password in the browser or client-side cookie, and then retrieve a new token by sending credentials silently.
Use a client side javascript library like https://github.com/IdentityModel/oidc-token-manager to rely on its token management features. By default it stores the retrieved token in localStorage (available throughout all the tabs) and it can be configured with silent_renew:true so that it automatically refreshes the token prior to its expiration using an iframe (without explicit browser redirection).

Where should i store token on the client

1 Answers1