I recently wrote a post about how to implement JWT Authorization in Flutter apps. I only considered the use case of writing a mobile app, so I reco...
For further actions, you may consider blocking this person and/or reporting abuse
hi im following this thread and its working in android but in flutter web, the response does not have any cookie in the header.
only content l3ngth and type are available. i tried dio and http, same result.
in express i tried httpOnly false and true.
thoughts?
Where are you trying to acess the cookies from? From the Flutter Dart code or from the Node backend code?
from dart code.
As I said in the post:
In the case of a Flutter app and nor a traditional Web app JavaScript is replaced by Dart.
The whole point of having cookies (especially if
httpOnly) is that you don't need to access them on the frontend, as they're automatically sent to the backend as I showed in the post.The only stuff you should be worrying about accessing in the frontend is the stuff you want to put in
localStorage.Hope this helps.
so you mean that if its an app, the cookie should be saved. but if it is web, the cookie is automatically included?
since browser automatically keeps cookies?
Yes, exactly.
Also, the cookies are saved automatically in the
document.cookiejust like they would if you were writing regular JS.Unless they're
httpOnly: in that case the frontend can never access them so they can be accessed only by the backend when you send a request.cool. ill check.
i can understand that but somehow its weird that the response header doesnt show the cookie after login.
hi carmine. it seems that the problem is req.cookies returns null in the backend when flutter web sends a request to the backend.
also set httpOnly to false so i could see document.cookie contents but nothing is saved to the browser. weird.
I am also having the same issue. I can see the Set-Cookie header in the login response but the cookie is not actually being set
@chitgoks and @jsonpoindexter I've noticed that. Google's HTTP library seems to not retain cookies sometimes. Switching to the dio http library should fix it in my experience, and Dio's API is very close to Google's. I'm sorry for the late response but I've not been loggin in to dev.to often lately.
Thank you for taking the time to respond @carminezacc ! What ended up working for me was setting the
withCredentialsparameter for the BrowserClient totrue(it is defaulted tofalse). After that, my browser did all the cookie management!github.com/dart-lang/http/blob/20e...
hi.
Flutter_secure_storage and Shared_preferences and Flutter_Session are save data in local storage.
but JWT Token save data in cookies.
Which once is better and safe?
do we need JWT token when we use Flutter_secure_storage or not?
Sorry to answer so late, but I haven't logged in to DEV for really long. Cookies aren't safe from CSRF, localStorage is as safe as your frontend code. With Flutter you might not have much to worry about, but XSS on the Web is still an issue for some websites, that's why one should ideally use a different token in each and have the backend require both.
Thanks for your Answer,
I use to flutter secure storage in flutter web.
My problem is local storage web browser. if attacker change my token in local storage with XSS ,flutter secure storage should log out but it can not?
If your backend identifies the user through both a token in local storage and a different one in HttpOnly cookies (which can't be accessed directly by scripts running on webpages) it can verify both are present and matching. The HttpOnly cookie defends from XSS (by not being accessible to scripts) and the local storage token protects from CSRF because only scripts running on your website can access it.
token generate in backend and sent to flutter secure storage.
flutter secure storage get token and saved token in local storage .
but when you change the token in local storage of browser,flutter web got error (error: formatexception: invalid length, must be multiple of four (at character 16) in flutter secure storage),
what should I do for this error?
Im trying to follow this but cookies are not being set on chrome. Its my fisrt time developing for web so I dont exactly know whats the problem, according to my research appenretly its a problem with cors. I have already tried setting credentials to true both on node and flutter side and also I tried using dio. Nothing seems to work.
this is great tutorial
can i have one question?
how to make logout?
i tried like these
jwt.sign(payload, KEY, {algorithm: 'HS256', expiresIn: "0"});
jwt.sign(payload, KEY, {algorithm: 'HS256', expiresIn: "-1d"});
failed
because i found expire date method log out
how to do?
Hi, you can clear the cookies and the local storage to log out.