Hi again
> I had the impression that cookies are still "the way things are done", and
> to be honest didn't really consider not using them at all. But it seems I
> should revise that :)
>
>
I agree it is still very common and if you wish you can combine different
methods. But the newer authentication schemes like OpenID Connect or
Mozilla Persona or Authorization like OAuth 2 don't rely on cookies by
design.
> So you would need to send the session token (in any data format really, I
> guess it can also be the same content as the cookie I'm constructing
> currently) in a custom header, and you would get CSRF protection "for
> free", though it would only work for AJAX requests.
>
Correct. But if you use Header based CSRF you are limited to AJAX requests
anyhow. You can of course send CSRF tokens in other ways but that goes for
a JWT or other type of token as well. So I do believe you have a 1:1
correlation when it comes to limitations.
> Ah, microservices, right ;) Although I suppose it's quite common to have a
> single "orchestrator" service which does the whole frontend job. But of
> course it doesn't have to be that way.
>
Yes microservices ("SOA done right") is one scenario. Any organization with
many applications that are not managed by a single team is another
(Enterprise organizations).
> When using Local Storage, would you still separate the "current session
> data" - containing the signed/encrypted user id or username (that would go
> to sessionStorage) and a "remember me token" (stored in localStorage) like
> you do with cookies? It has some nice properties, like varying access
> levels based on automatic/manual logins or knowing when users log in
> (automatically or manually).
>
> Hmm, I haven't considered that scenario so I don't have a strong opinion.
Off the top of my head I would create a remember me token with longer
expiration but lower access right and keep that in Local Storage. Then I
would allow for an upgrade login and that token would be stored in Session
Storage and shadow the "remember me" token.
> Thanks,
> Adam
>
--
>>>>>>>>>> Read the docs: http://akka.io/docs/
>>>>>>>>>> Check the FAQ:
>>>>>>>>>> http://doc.akka.io/docs/akka/current/additional/faq.html
>>>>>>>>>> Search the archives: https://groups.google.com/group/akka-user
---
You received this message because you are subscribed to the Google Groups "Akka
User List" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/akka-user.
For more options, visit https://groups.google.com/d/optout.
