locked
Can i store a JSON token in a cookie? RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote
    User-284642143 posted

    A third party service requires a username and password to obtain a token which then allows me to access the data with by sending this within the HttpHeaders property for HttpWebRequest.

    Is it appropriate to store this Token in a cookie to make further requests? Or does the cookie need to be encrypted (I think converting to Base64)?

    Monday, November 25, 2019 9:32 AM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote
    User-1780421697 posted

    In most of cases specially in SPA , we use cookie or some storage state like local storage of browser to store the token and its normal.

    Monday, November 25, 2019 12:14 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    User288213138 posted

    Hi EssCee,

    A third party service requires a username and password to obtain a token which then allows me to access the data with by sending this within the HttpHeaders property for HttpWebRequest.

    Is it appropriate to store this Token in a cookie to make further requests? Or does the cookie need to be encrypted (I think converting to Base64)?

    In this context, the browser local storage, session storage and cookies are all can store  json taken, but session is more secure then others.

    The reason is that browser localStorage and sessionStorage do not provide enough security for storing auth tokens.

    More information about the jwt in the cookie you can refer to this link: https://stackoverflow.com/a/54258744

    Best regards,

    Sam

    Tuesday, November 26, 2019 7:24 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    User-284642143 posted

    So i can store it in a session, something like 

    HttpContext.Current.Session["Token"] = 123;

    In which case, what if a user reads this value and then attempts to send a POST request? Should i encrypt it? If yes is there a particular encryption method i should follow?

    Tuesday, November 26, 2019 9:51 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    User-1780421697 posted

    If you do not have Distributive session then it may cause another issue, Open ID Connect removes the limitation of cookie base auth and session base auth, 

    Tuesday, November 26, 2019 10:02 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    User475983607 posted

    This is a standard web application state management question.  The proper ASP.NET state management feature to implement is up to you.  If the service client is the web application then server side state management is best.  Session is fine but I would use a cache where the cache expiration is the same as the token expiration.  If the token cache is empty then you know the token timed out and need to request another token.  Or you can use the expiration to know when to refresh the token.

    Tuesday, November 26, 2019 9:59 PM