How to store authentication bearer token in browser cookie using AngularJS

Question

I have created a bearer token using ASP.net Identity. In AngularJS I wrote this function to get authorized data.

$scope.GetAuthorizeData = function () {
  $http({
    method: 'GET',
    url: "/api/Values",
    headers: { 'authorization': 'bearer <myTokenId>' },
  }).success(function (data) {
    alert("Authorized :D");
    $scope.values = data;
  }).error(function () {
    alert("Failed :(");
  });
};

So I want to store this token into Browser cookies. If this token is present there , then take the token and get the data from IIS server Otherwise redirect to login page to login to get a new token.

Similarly, if user click onto log out button, it should remove the token from browser cookie.

How to do this ? It it possible ? Is it proper way to authenticate and authorize a user ? What to do if there are multiple users token ?

cbass · Accepted Answer · 2015-12-31T12:19:45.637

There is a $cookies service available in the AngularJS API using the ngCookies module. It can be used like below:

function controller($cookies) {
    //set cookie
    $cookies.put('token', 'myBearerToken');

    //get cookie
    var token=$cookies.get('token');

    //remove token
    $cookies.remove('token');
}
controller.$inject=['$cookies'];

For your case it would be:

//inject $cookies into controller
$scope.GetAuthorizeData = function () {
    $http({
        method: 'GET',
        url: "/api/Values",
        headers: { 'authorization': 'bearer <myTokenId>' },
    })
    .success(function (data) {
        $cookies.put('token', data);
    }).error(function () {
        alert("Failed :(");
    });
};

You will also have to add the angular-cookies module code. And add it to your angular app: angular.module('myApp', ['ngCookies']);. Docs for Angular Cookies.

I would also like to suggest the usage of a Http interceptor which will set the bearer header for each request, rather than having to manually set it yourself for each request.

//Create a http interceptor factory
function accessTokenHttpInterceptor($cookies) {
    return {
        //For each request the interceptor will set the bearer token header.
        request: function($config) {
            //Fetch token from cookie
            var token=$cookies.get['token'];

            //set authorization header
            $config.headers['Authorization'] = 'Bearer '+token;
            return $config;
        },
        response: function(response) {
            //if you get a token back in your response you can use 
            //the response interceptor to update the token in the 
            //stored in the cookie
            if (response.config.headers.yourTokenProperty) {
                  //fetch token
                  var token=response.config.headers.yourTokenProperty;

                  //set token
                  $cookies.put('token', token);
            }
            return response;
        }
    };
}
accessTokenHttpInterceptor.$inject=['$cookies'];

//Register the http interceptor to angular config.
function httpInterceptorRegistry($httpProvider) {
    $httpProvider.interceptors.push('accessTokenHttpInterceptor');
}
httpInterceptorRegistry.$inject=['$httpProvider'];

//Assign to module
angular
    .module('myApp')
    .config(httpInterceptorRegistry)
    .factory('accessTokenHttpInterceptor', accessTokenHttpInterceptor)

Having the http interceptor in place you do not need to set the Authorization header for each request.

function service($http) {
    this.fetchToken=function() {
        //Authorization header will be set before sending request.
        return $http
            .get("/api/some/endpoint")
            .success(function(data) {
                 console.log(data);
                 return data;
            })
    }
}
service.$inject=['$http']

As stated by Boris: there are other ways to solve this. You could also use localStorage to store the token. This can also be used with the http interceptor. Just change the implementation from cookies to localStorage.

function controller($window) {
    //set token
    $window.localStorage['jwt']="myToken";

    //get token
    var token=$window.localStorage['jwt'];
}
controller.$inject=['$window'];

Ya.Got it. Thank you. Nice explanation. – Bimal Das Dec 31 '15 at 16:13 — Bimal Das, Dec 31 '15 at 16:13
Hello, where will `` be? where to find it? – Kavipriya Apr 05 '17 at 09:20 — Kavipriya, Apr 05 '17 at 09:20

Boris · Answer 2 · 2015-12-31T12:44:31.830

I would advise against keeping the data in a cookie, for security purposes you should set the cookies to secure and HttpOnly (not accessible from javascript). If you're not using SSL, I would suggest moving to https.

I would pass the token from the auth endpoint in a json response:

{
    tokenData: 'token'
}

You can save the token data in sessionStorage by using the $window service:

$window.sessionStorage.setItem('userInfo-token', 'tokenData');

It will be cleared once the user closes the page, and you can manually remove it by setting it to empty string:

$window.sessionStorage.setItem('userInfo-token', '');

Edit:

Interceptor implementation for catching data, adapted from cbass (not tested, you can inspect the objects for response/request to fiddle with the information):

//Create a http interceptor factory
function accessTokenHttpInterceptor($window) {
    return {
        //For each request the interceptor will set the bearer token header.
        request: function($config) {
            //Fetch token from cookie
            var token=$window.sessionStorage.getItem('userInfo-token');

            //set authorization header
            $config.headers['Authorization'] = 'Bearer '+token;
            return $config;
        },
        response: function(response) {
            //if you get a token back in your response you can use 
            //the response interceptor to update the token in the 
            //stored in the cookie
            if (response.config.url === 'api/token' && response.config.data.tokenData) {
                  //fetch token
                  var token=response.config.data.tokenData;

                  //set token
                  $window.sessionStorage.setItem('userInfo-token', token);
            }
            return response;
        }
    };
}

accessTokenHttpInterceptor.$inject=['$window'];

Thanks a lot. I have not tried $window yet in angular JS.Neither have any idea to use SSL. Where should I write these codes? Can you give me more clear answer . — Bimal Das, Dec 31 '15 at 12:14
You can put the handlers for session storage in a service, or like cbass mentions below using a httpInterceptor. — Boris, Dec 31 '15 at 12:32
Saving the token in the session storage means also that if I open a link in a new tab the token from the session storage isn't available. The user would need to authenticate again (on every tab) which is really annoying. Possible solution: http://stackoverflow.com/a/32766809/1878249 — goflo, Oct 21 '16 at 08:59
@goflo that's right depending on how the new tab gets opened (it must be a new browsing context so the `sessionStorage` is not shared). The fallback with `localStorage` would be useful for such a case. Another alternative with using `window.name` to keep the data which I find a questionable technique and would consider a last resort. That being said I didn't experience any issue with opening new tabs in my app. But I may have had a slightly different configuration than described above (it's been more than six months since I've touched that code). — Boris, Oct 21 '16 at 10:27

How to store authentication bearer token in browser cookie using AngularJS

2 Answers2

Linked