25

Is storing an OAuth 2 token in cookies bad practice? If so, what are alternatives for a web app?

Ger
  • 238
  • 4
  • 15
Tryingitall987
  • 285
  • 1
  • 3
  • 6
  • 4
    Check [this answer](http://stackoverflow.com/a/40376819/204699) that has a comparison of possible options and their pros and cons for storing security tokens in browser-based client applications. – João Angelo Dec 12 '16 at 09:29

4 Answers4

22

Whether you can store the access_token in cookies depends on following things:

  1. Is the access_token stored in cookie encrypted or not (it definitely should be)
  2. Access_token is a bearer token so it is not tied to browser flows. Cookies in general are meant for maintaining state in browsers. So if lifecycle of token is same as cookie, go ahead otherwise not. When I say lifecycle, I mean lifespan, etc.
  3. Also, please consider this fact too that access token is not identity token
  4. Access tokens are completely client side, and servers that generally use cookies to maintain sessions, mostly maintain matching server side session as well.

I hope this helps.

Philippe
  • 548
  • 8
  • 24
dvsakgec
  • 3,514
  • 4
  • 28
  • 35
8

I definitely wouldn't do it. When security is involved you should not store stuff, in places where others can access it. So don't store it anywhere, especially client-side.

That being said, it's not bad practice, per se if handled properly. See this comprehensive article about it.

TigOldBitties
  • 1,331
  • 9
  • 15
  • 2
    Storing it under a session cookie seems to be a good way to go. Any objections with this method? – Tryingitall987 Dec 10 '16 at 16:57
  • 3
    It all depends on how it's being handled, can somebody else use the token if the users leaves from the computer and does not close the browser? I can't answer that as i don't know what you use it for. There are too many things to be said, all of which are explained in the article or in other resources, better than I ever could and so you have to draw your own conclusions if your approach has any flaws. – TigOldBitties Dec 10 '16 at 17:05
  • 8
    I don't think this answer makes sense. Sessions inescapably require storing something on the client, no way around it. We just have to decide *what* to store and *how* to store it. The question being asked is: are access_tokens an okay thing to store in the session cookie, or should something else be stored? – Lucian Wischik Jun 14 '19 at 18:15
  • 1
    @LucianWischik the inescapability you mention is not that inescapable if you configure you app to store your session variables in the db or server-side. In that case you only store session identifiers in a cookie. I think it doesn't make sense to you because you can't know what you don't know. I would suggest reading up on ways to store session stuff. My answer in other words is that i wouldn't store a security token in a cookie client-side if i can avoid it. Maybe unless it's fullproof encrypted, which the question doesn't mention, does it? – TigOldBitties Jun 28 '19 at 08:43
  • 14
    @TigOldBitties You say to store session identifiers in a cookie. That is storing something on the client -- as I said, inescapable. The question is *what* to store and what guarantees must it have? If someone eavesdrops a session identifier what will they get out of it? If someone eavesdrops an access token will they get any more or less out of it? If the answer is "I don't know but my rule of thumb is only ever store session identifiers on the client" then that's not an answer to the question. If the answer is "access token is weaker than sessionID because of XYZ" then that'd be a real answer – Lucian Wischik Jul 02 '19 at 15:30
  • @LucianWischik I believe you are missing what TigOldBitties meant. He said to store on the SERVER side session (or use db rules) and to avoid the client side cookie storing of sensitive data which as you said, you'll need to make good decisions on what we store there. I assume as does TigOldBitties that you don't do much backend (server) coding and therefore, would only be thinking in the terms of client side when discussing cookies or sessions. So, as TigOldBitties said. it IS escapable (client side cookies with sensitive data) when you use a server (backend) – kodahScripts Aug 26 '21 at 15:31
  • "You should not store stuff in places where others can access it" is correct. Storing an encrypted token in a session cookie that is httponly and secure is a place where others can't access it. Storing them database-side is "safer", I tend to agree but given how often applications in the wild have an SQL injection vulnerabilities, where, once in, they can access ALL sessions I think it's overrated to think that it's safer, it all depends on how you secure things. Both are fine, both need proper safety measures. – Brecht De Rooms Feb 26 '23 at 20:13
  • @BrechtDeRooms Exactly. – TigOldBitties Mar 06 '23 at 13:00
3

Cookies have maxSize of 4kb. So if you are saving a lot of info in the token - you will get an error.

Dmitriy Kovalenko
  • 3,437
  • 3
  • 19
  • 39
-1

yea you can only if you are securely storing it. follow this link for more about cookie security. https://techblog.topdesk.com/security/cookie-security/

Flash Noob
  • 352
  • 3
  • 7