Skip to content
This repository has been archived by the owner on Sep 18, 2021. It is now read-only.

Is it safe to pass the access_token as a cookie to AngularJS? #721

Closed
IWriteApps opened this issue Jan 6, 2015 · 2 comments
Closed

Is it safe to pass the access_token as a cookie to AngularJS? #721

IWriteApps opened this issue Jan 6, 2015 · 2 comments
Assignees
Labels

Comments

@IWriteApps
Copy link

First of all I want to thank you guys for putting together this great solution, I have no idea where I'd be without it. Second, security is not my greatest strength and so this may be a silly question, but...

I have an AngularJS app hosted in an ASP.NET MVC application. I found it easiest to have the MVC application work directly with IdentityServer using implicit flow to register/login, and then once the user authenticates I take the access_token and create a cookie for it for Angular to use.

Does this violate any sort of security rule? I figured I would be ok in doing this since the idsrv cookie is in the browser anyway and holds this data anyway, but I want to be completely sure before I leave myself open for hacks.

@leastprivilege
Copy link
Member

So the problem is - you don't have much control about when a browser sends a cookie - this could be triggered by CSRF e.g.

I'd prefer if you would rather render a view from MVC that puts the token into local storage.

@devmoviit
Copy link

How would one go about that?

Encoding the user/claims objects using razor?
Doesn't that mean someone can sniff the tokens from the DOM or something?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Development

No branches or pull requests

4 participants