0

I am building an SPA app with a guest checkout. During this, I call one API to create the guest user's address and name data, and then another to add other details about the checkout.

Is there a way to ensure that the current guest/anonymous user who is in session is from the same session, when calling different APIs? I can't create a token on the client because then the username/password for the token would be accessible to anyone. Is there a common pattern or product that people use for this without creating a token?

Thanks

Terry

Terry Carter
  • 61
  • 1
  • 2
  • Session Variables? Local or Session variables. – Dylan Wright Mar 24 '17 at 19:26
  • Maybe not that good of an idea if it's in plain text. But if your token is in encrypted session variables should be okay. This is a good article too. http://stackoverflow.com/questions/19594202/is-it-secure-to-store-a-password-in-a-session – Dylan Wright Mar 24 '17 at 19:31
  • I don't have an authenticated user, so can't use session. So is the recommended approach for this to generate a signed token on the server side (even if it's just contains a random ID and expiry), and then link the random ID from the token to the transactions that happen behind your server side APIs? – Terry Carter Mar 27 '17 at 18:06
  • i think you need some kind of temporary storage. Not sure how helpful my answer is but I would target both server and client side. Create business rules against the length of storage and how long you want to keep on both sides. You could keep the temp in the database and store linking in some other table. I don't know something needs to exist and then disappear. Good luck, sorry couldn't be more helpful – Dylan Wright Mar 28 '17 at 14:53

0 Answers0