Comment by Gergely Polonkai on "Should I use local/session storage or cookie to store access/refresh token?"

CommentShould I use local/session storage or cookie to store access/refresh token?

Gergely Polonkai

You have to believe in things that are not true. How else would they become?

Aug 26, 2017

I think that will be a highly opinionated answer.

If your API is consumed by third party applications, using cookies is not an option (well, it is, but you don’t want to make the lif of other devs harder.)

If your API is consumed only by your own front-end, you can go with whatever unorthodox method you want. If you otherwise use the local or session storage, even that is fine. It can even be a global(ish) variable in the application.

You may want to take a look at riot.im or vector.im, it may give you some ideas.

Kareem

Aug 26, 2017

thank you so much forr the answer.

Yes it is consumed only by my Front-End Web app so going with local storage is secure enough? (I want to store there refresh token so when access token not working I'm going to refresh it.)

Martin Blaustein

Apr 9, 2018

I'm facing the same problem now, did you find that solution (storing the refresh token in the session) to be secure enough?

Search Hashnode