DEV Community

Discussion on: Be careful of the JWT hype train

rhymes profile image

But how do you check wether an user is authenticated or not in a single page application?

It's quite straightforward:

  • on login the client receives a successful response, a secure httponly cookie is set by the server and that's it (the user is now authenticated)
  • the cookie is sent by the browser at each request
  • on logout the server invalidates the cookie, the browser forgets it and you can logout the user
  • you can still use jwt and the local storage to store additional user's data, just not the session cookie

What if I'm running an app and web app on the same API?

what do you mean?

larsklopstra profile image
Lars Klopstra ⚡

Android App & Website sharing the same API & Authentication service, how are you supposed to store a cookie on an app?

Thread Thread
rhymes profile image
rhymes • Edited

You're not bound to have the same authorization mechanism for both services if it doesn't suit your Android app, but you can:

how are you supposed to store a cookie on an app?

A cookie is just a header (not much different from the Authorization header OAuth2 uses), your app has a HTTP client, they usually handle cookies easily.

I'm quite sure there's a way to store a cookie in Android, by Googling I found these:

I do not know how up to date such info is because I have zero experience developing on Android but I do know that whenever you have a decent HTTP client, you have support for cookies (they are not a new technology ;-))

Thread Thread
jay97 profile image
Jamal Al

If you're sending http requests with headers back and forth than you must have cookies because cookies are essentially just a header. Right?