Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Saving token in a cookie instead of creating a session cookie? #16

Open
zensitively opened this issue Apr 3, 2022 · 1 comment
Open

Saving token in a cookie instead of creating a session cookie? #16

zensitively opened this issue Apr 3, 2022 · 1 comment

Comments

@zensitively
Copy link

Is there any advantage of storing a session cookie instead of just the token via httpOnly cookies? Your code has this:

export const createSessionCookie = async (token: string, maxAge: number) => {
	const expiresIn = maxAge * 1000
	const auth = getAuth(getAdminApp())
	const session = await auth.createSessionCookie(token, {
		expiresIn,	
	})

	return `session=${session}; SameSite=Strict; Path=/; HttpOnly; Max-Age=${maxAge};`
}

Which makes it impossible to pass as authorization tokens. I wonder what the benefit of these session cookies are, the Firebase docs are not helpful in that.

I have tried adding this as an alternative:

export const createJWTCookie = async (token: string, maxAge: number) => {
	const jwt = token

	return `jwt=${jwt}; SameSite=Strict; Path=/; HttpOnly; Max-Age=${maxAge};`
}

And it works very well for passing to Hasura, for example, as the token of bearer authorization. As I understand, it should be safe since it's HttpOnly, restricted in time and the same site is set to strict.

(Please feel free to let me know if this is the right place to mention such things, and if it is welcome - I was not sure. I wanted to do something helpful for others, but don't have much experience yet.)
@jmagrippis
Copy link
Owner

Hey there @zensitively ! Thanks a bunch for opening this, sorry it took me like... one month to see 😅 Discussion is definitely welcome, I just need to be on top of the GitHub notifications! Maybe I'll open up a "Discussions" page, seems to be trending nowadays...

In any case, maybe you've also asked this in the YouTube comments and I've since responded? 🙂 But the short of it is, that the session cookies have a much longer expiration date vs. the JWT, which is why I went for them in this case. They do introduce hoops you need to jump through if all you want is a JWT to pass to other services, like Hasura. It may be enough to store both for convenience, and if the JWT has expired, you can use the session cookie to get a fresh one.

Nothing wrong with just storing the JWT and not bothering with the session cookies at all, as you may have done, no security implications as you say as well... it's just that you'll need to ask the user to log in again more often!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jmagrippis @zensitively