re: Be careful of the JWT hype train VIEW POST

VIEW PARENT COMMENT VIEW FULL DISCUSSION
 

But how do you check wether an user is authenticated or not in a single page application?

It's quite straightforward:

  • on login the client receives a successful response, a secure httponly cookie is set by the server and that's it (the user is now authenticated)
  • the cookie is sent by the browser at each request
  • on logout the server invalidates the cookie, the browser forgets it and you can logout the user
  • you can still use jwt and the local storage to store additional user's data, just not the session cookie

What if I'm running an app and web app on the same API?

what do you mean?

 

Android App & Website sharing the same API & Authentication service, how are you supposed to store a cookie on an app?

You're not bound to have the same authorization mechanism for both services if it doesn't suit your Android app, but you can:

how are you supposed to store a cookie on an app?

A cookie is just a header (not much different from the Authorization header OAuth2 uses), your app has a HTTP client, they usually handle cookies easily.

I'm quite sure there's a way to store a cookie in Android, by Googling I found these:

I do not know how up to date such info is because I have zero experience developing on Android but I do know that whenever you have a decent HTTP client, you have support for cookies (they are not a new technology ;-))

If you're sending http requests with headers back and forth than you must have cookies because cookies are essentially just a header. Right?

code of conduct - report abuse