I created an api that sends a user &quot;access token&quot; and &quot;refresh token&quot; in order to use them for authentication and refresh the access token.
I&#39;m using Angular on client side , the problem I have there is a lot of discussion and ways to store those tokens like localstorage, sessionStorage and Cookie.
Which one should I use , because each time I google I find they have downside for example I see CSRF and XSS attacks , and cookie aren&#39;t restful etc.
The idea I have is : Store access token , when I get &quot;401&quot; error I use refresh token to get a new access token both of them I think storing them in SessionStorage.
Or should I use a long lived access token that expire after a long time?

 I created an api that sends a user "access token" and "refresh token" in order to use them for authentication and refresh the access token.

I'm using Angular on client side , the problem I have there is a lot of discussion and ways to store those tokens like localstorage, sessionStorage and Cookie.

Which one should I use , because each time I google I find they have downside for example I see CSRF and XSS attacks , and cookie aren't restful etc.

The idea I have is : Store access token , when I get "401" error I use refresh token to get a new access token both of them I think storing them in SessionStorage.

Or should I use a long lived access token that expire after a long time?


Should I use local/session storage or cookie to store access/refresh token?

Product

Explore

Company

Blogs

Support