Discussion on: Be careful of the JWT hype train

View post

Replies for: But how do you check wether an user is authenticated or not in a single page application? What if I'm running an app and web app on the same API?

rhymes • Jan 23 '19

But how do you check wether an user is authenticated or not in a single page application?

It's quite straightforward:

on login the client receives a successful response, a secure httponly cookie is set by the server and that's it (the user is now authenticated)
the cookie is sent by the browser at each request
on logout the server invalidates the cookie, the browser forgets it and you can logout the user
you can still use jwt and the local storage to store additional user's data, just not the session cookie

What if I'm running an app and web app on the same API?

what do you mean?

Lars Klopstra ⚡ • Jan 23 '19

Android App & Website sharing the same API & Authentication service, how are you supposed to store a cookie on an app?

rhymes • Jan 23 '19 • Edited

You're not bound to have the same authorization mechanism for both services if it doesn't suit your Android app, but you can:

how are you supposed to store a cookie on an app?

A cookie is just a header (not much different from the Authorization header OAuth2 uses), your app has a HTTP client, they usually handle cookies easily.

I'm quite sure there's a way to store a cookie in Android, by Googling I found these:

I do not know how up to date such info is because I have zero experience developing on Android but I do know that whenever you have a decent HTTP client, you have support for cookies (they are not a new technology ;-))

Jamal Al • Jan 24 '19

If you're sending http requests with headers back and forth than you must have cookies because cookies are essentially just a header. Right?