How to setup httpOnly cookie for auth?

I see that saving the jwt in localstorage in my react js app using redux is not safe, nor is it good to use it in memory since it is logged out with each refresh or new tab!! What is the safest and simplest way to do it? I feel like I’m wasting a lot of time setting this up at the start of a project.

This topic has been created from a Discord post (1215833109807759460) to give it more visibility.
It will be on Read-Only mode here.
Join the conversation on Discord

Back in my Rails days, we used to save the JWT in just cookies. I think the server-side (Strapi) needs to set the Cookie header, but the details escape me…

anyone please?

Well, if your concern that if you store token in cookies user would not be able to read it, the answer is NO

The point of using cookies is to prevent XXS attacks

Since cookie cannot be read by browser js

The only way to implement cookie auth currently is by using extensions folder and extend the user-permissions plug

There you go impl details How to pass JWT token from Header Set-Cookie to Headers Authorization: Bearer token

ok thanks! i will check it, i did something with another strapi forum article but im still thinking about it…

I read a guy saying that save session in database is better than localStorage and cookies…, I honestly don’t know who to believe.
What do u do for user sessions? how you handle sessions in your apps?

I personally just use jwt and localStorage, cookie auth is bit more pain in the arse, in terms of setup and development…

The only profit is to prevent xxs, but I don’t have that sensitive data around

Generally speaking I would do anything other then jwt if it was required

Hello, could I know what types of projects you did? to have an idea.
As for sensitive information, my project is about a business manager for retailers, it would be online in a react app, there they can add their products, their sales, I think there could be invoices, prices, sales analysis of the month, which do you think about that?

The problem is that if you want secure data, you likely need someone who can somehow guarantee it

The proper sensitive data is the data witch can harm someone if leaked

Idc if you want that type of security I’ve would look on OAuth2 stuff

There sessions, where you have re authorise every few mins

It’s still a bit confusing, in almost all the articles they recommend jwt for connections between different services, and cookies for sessions with simple restful api, strapi by default is a rest api and uses jwt, so? hehe

i tried to find some guide to use only cookies without jwt in strapi, but i can’t find any