April 24, 2021

Is it a bad practice to use only one token for a SPA (no applications, only user)?

Say we have multiple instances of application X deployed on **site1.com, site2.com, site3.com**, etc. And we have a centralized server at **example.com** serving all of these.

All the instances of X are static sites, that is, they do not have a server, and thus, they can’t proxy requests to endpoints.

Traditionally, in a same-site situation, HTTPOnly, secure cookies would’ve been used to store user sessions, but with the (necessary) death of third-party cookies, **we can’t do that cross-site.** So recently we have been debating about shifting to storing the session token or JWT in LocalStorage or in a cookie (using Javascript).

We understand the issues with XSS and CSRF involved, but we don’t understand how else to make authentication work cross-site. Our application instances are usually “control panels” where users log in to manage their data or other information regarding their organization. They are strictly user <-> server and there is no third-party application involved which might require some access_token.

I have read in a lot of places that storing tokens (JWTs) in LocalStorage is a bad idea. Other places ask you to avoid cookies since they are vulnerable to CSRF. And some places ask you to use id_token and access_token. So where are we supposed to store tokens then?

It’s quite confusing, and I seem to be missing something super obvious (or super complicated). Thanks for helping out!

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.