DEV Community

Discussion on: Securely Storing JWTs in (Flutter) Web Apps

chitgoks profile image

from dart code.

Thread Thread
carminezacc profile image
Carmine Zaccagnino • Edited

As I said in the post:

The place where tokens are stored in Web apps are httpOnly cookies, which are sent to the backend automatically along with each request, but aren't accessible by JavaScript.

In the case of a Flutter app and nor a traditional Web app JavaScript is replaced by Dart.

The whole point of having cookies (especially if httpOnly) is that you don't need to access them on the frontend, as they're automatically sent to the backend as I showed in the post.

The only stuff you should be worrying about accessing in the frontend is the stuff you want to put in localStorage.

Hope this helps.

Thread Thread
chitgoks profile image

so you mean that if its an app, the cookie should be saved. but if it is web, the cookie is automatically included?

since browser automatically keeps cookies?

Thread Thread
carminezacc profile image
Carmine Zaccagnino • Edited

Yes, exactly.

Also, the cookies are saved automatically in the document.cookie just like they would if you were writing regular JS.
Unless they're httpOnly: in that case the frontend can never access them so they can be accessed only by the backend when you send a request.

Thread Thread
chitgoks profile image

cool. ill check.

i can understand that but somehow its weird that the response header doesnt show the cookie after login.

Thread Thread
chitgoks profile image

hi carmine. it seems that the problem is req.cookies returns null in the backend when flutter web sends a request to the backend.

also set httpOnly to false so i could see document.cookie contents but nothing is saved to the browser. weird.

Thread Thread
jsonpoindexter profile image
Jason Poindexter

I am also having the same issue. I can see the Set-Cookie header in the login response but the cookie is not actually being set

Thread Thread
carminezacc profile image
Carmine Zaccagnino

@chitgoks and @jsonpoindexter I've noticed that. Google's HTTP library seems to not retain cookies sometimes. Switching to the dio http library should fix it in my experience, and Dio's API is very close to Google's. I'm sorry for the late response but I've not been loggin in to often lately.

Thread Thread
jsonpoindexter profile image
Jason Poindexter • Edited

Thank you for taking the time to respond @carminezacc ! What ended up working for me was setting the withCredentials parameter for the BrowserClient to true (it is defaulted to false). After that, my browser did all the cookie management!