7

I am creating a website using AngularJS client side and communicating in REST with a backend (in an other domain).

To authenticate every calls, I pass a token through the header of each HTTPS call : "Authorization : Bearer access_tokenXXXXXX"

When the token expires, I am able to create a new one thanks to a refresh_token.

The access_token and the refresh_token need to be stored client side, because the browser needs to have it in clear text before setting it in the HTTP request header.

My questions are :

Question 1 : What is the recommanded way to store the access_token and the refresh_token to make it available to the browser so it is relatively secure? (I have quiet sensitive data like personal pictures)

Question 2 : What are the recommanded lifetime (= time before it is not usable) for access_token AND refresh_token? (FYI I refresh the token after a 401 response, and my app is a social app)

Question 3 : Do I have an architactural issue? Should I change it in order not to have JavaScript using token at all, and use HTTP-ONLY cookies?

Thanks :)

Geoffrey

UPDATE :

I finally chosed to go for HTTP-ONLY cookies. I am using Django Oauth Toolkit so Django is waiting the authorization in the HTTP header, and not in a cookie.

To solve that, I am using a Middleware that gather the token of the cookie and set it in the header. It should also allow me to re-authenticate the user (with the refresh token) before the access_token expires.

Geoffrey D
  • 578
  • 1
  • 6
  • 13

2 Answers2

4

I think you're right in asking question 3. Definitely use HTTP-Only cookies, that's the safest type of browser storage.

As described in the links provided by smwikipedia, using HTTP-Only cookies helps defend against XSS. To also defend against CSRF you should check out this AngularJS mechanism.

The actual format of the cookies can be JWT or anything else.

The answer to question 2 really depends on your users' sweet spot in trading off between tight security and convenience. You know your users best so it's really your own judgement call.

orange77
  • 933
  • 8
  • 12
  • Thank you for your answer, I will switching to HTTP-ONLY cookies. concerning CSRF, I am using Django Rest Framework with this module : https://github.com/ottoyiu/django-cors-headers and it is working perfectly, so I should be OK :) – Geoffrey D Dec 18 '15 at 13:16
  • I assume that you mean HTTPS-Only instead of HTTP-Only ? – Peter Scott Jun 12 '16 at 17:29
  • 1
    HTTP-Only is a flag set on the cookies which tells the browser not to give JavaScript access to it, another flag - "SECURE" tells the browser not to send the cookies without using HTTPS. So you need should use both flags on authentication related cookies – actual_kangaroo Jul 05 '17 at 04:37
0

I am facing similar questions to yours.

I am developing a service layer for both browser-based and non-browser clients. I plan to use JWT (JSON Web Token) to authenticate both.

It's too long for a comment so I post it as an answer.

For question 1, according to here, they recommend to store JWT token in cookie due to security considerations.

For question 2, here is a thread about expiration handling for JWT.

For question 3, I have no comment yet.

Community
  • 1
  • 1
smwikipedia
  • 61,609
  • 92
  • 309
  • 482
  • Thank you for this answer, I will go for HTTP-ONLY secured cookies :) (but I won't implement JWT, it seems overkill) – Geoffrey D Dec 18 '15 at 13:25