Access token should live in memory, and the refresh token should be stored as an HttpOnly cookie set by the IdP, not in local/sessionStorage.
On page load, the app just does a silent refresh using that cookie to get a new access token — that’s how login survives a reopen without storing tokens in JS storage.
I’ll cover this step-by-step in the next article (Part 2) 🚀
Thanks! 🙌
Access token should live in memory, and the refresh token should be stored as an HttpOnly cookie set by the IdP, not in local/sessionStorage.
On page load, the app just does a silent refresh using that cookie to get a new access token — that’s how login survives a reopen without storing tokens in JS storage.
I’ll cover this step-by-step in the next article (Part 2) 🚀
I look forward to it.
Just a couple of questions are wandering in my mind.
So in this case, http cookie should be set by the server. But if the backend server has a different domain, how can I set the cookie for client?
Client domain A.com, server domain B.com. And client is html files served by web server such as nginx.
Second and last,
If we store accessToken in http cookie, is there any reason we use refreshToken?
Thanks! Great questions — super common in real apps.
Different domains (A.com app, B.com IdP/API):
A server on B.com can’t set cookies for A.com.
Use one of these:
Same-site setup: serve IdP on a subdomain (e.g. auth.a.com) so it can set a first-party HttpOnly cookie (SameSite=Lax/Strict).
Top-level redirect: briefly navigate the browser to b.com so it’s first-party there; B.com sets the cookie, then redirects back.
BFF pattern: tiny backend under a.com holds tokens; browser only has a session cookie.
Access token in an HttpOnly cookie — do we still need a refresh token?
For SPAs, don’t put the access token in a cookie (CSRF + it’s sent automatically everywhere). Keep access in memory and use Authorization: Bearer.
You still want a refresh token (in HttpOnly cookie) to renew short-lived access tokens without re-login (and to enable rotation/reuse-detection).
If you move to BFF + server session, then you typically don’t use access tokens in the browser at all (so no refresh token in the browser either).
I’ll cover these options (same-site vs redirect, PKCE, BFF, CSRF gotchas) in Part 2. 🚀