0

I do have a problem about understanding crossdomains cookies.

I am currently working on a kind of small micro services architecture app ( I only splitted the front-end and the back-end). So I followed this tutorial :

https://pragmaticstudio.com/tutorials/rails-session-cookies-for-api-authentication.

At first, when reading this tuto, it seemed to be a good idea to opt for cookies based authentication. Everything was working fine on development, but when I push it on production (on 2 differents domain name), thing was not working anymore..

So after a few searches on the internet, I found that modern browser tended to block crossdomain cookies. I found an article on stack overflow which redirected me to this post :

https://medium.com/@ArturoAlvarezV/use-session-cookies-to-authenticate-a-user-with-a-rails-api-backend-hosted-in-heroku-on-one-domain-f702ddf8c07

where they advise us to use a special gem. But when I read the gem doc, they said that it would become useless by 2022...

After some more searches, I found that the best way to manage it was probably to use JWT. I read few articles, and they advocate to use cookies set with httponly flag to safely store refresh tokens...

So here is my question: No matter which authentication system I choose, I will still need my back-end to send cookies to my front-end? Or in case of JWT, should my back-end sent refresh tokes as json and then the front-end app saves it as httponly cookies?? Or do I misunderstand something about changes in cookies management?

I know the question may seemed stupid, but more I deep into this topic, more I get confused...

Thanks

Unik6065
  • 25
  • 5
  • On an unrelated note. I am going through a similar issues (Backend sending refresh token as JSON and access tokens as cookies) with cookies although my problem is slightly different than yours. This [RFC8582-draft](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps) recommends not to use cookies for token storage. – Neil Jul 18 '23 at 10:27

1 Answers1

0

Your frontend (assuming is javascript based) should not be able to access your cookies.

The cookies are sent as a response from your backend. If you are getting a CORS error, it is likely that you need to whitelist the origin (your backend domain) for it to be able to send you your authentication cookies. You can take a look at this medium article on how to do it in ruby

Httponly flag mitigates risk of client-side scripts accessing the protected cookie. You should know you can still access the cookie via your developer tools.

Having cookies stored also means that your browser automatically sends those cookies with every request that can impact your performance.

This also poses a problem if you are intending to expand your MS architecture to include an API gateway that may expect the JWT token to be included in the authorisation header and not a cookie. It is something that you may want to consider as I am currently going through this issue.

If you are implementing a JWT based authentication system, I would recommend you to look into OIDC and its best practices.

You should also take a look at this Stackoverflow question to gain a better understanding between JWT and Oauth2 if you are intending to go for that route as well.

Neil
  • 164
  • 11