So I am making a web app with nuxt 3 and laravel, and I cant seem to get the SPA authentication to work. So I am for now generating a usertoken and saving it in the cookies, so my user keeps logged in. But I am doubting that this is a safe way to keep my user authenticated and do other actions. I tried looking up whether it is good to store it in cookies. But there are to many mixed reviews on this subject.
(the reason why I personally storing it in the cookies, is because nuxt3 is ssr
and I wont be able to get the token if it was stored in the localstorage)
I know that cookies are more venerable to xsrf
attacks and localstorage to xss
attacks.
But what I understand when I am going to use the SPA authentication of laravel, those sessions and tokens are going to be saved in the cookies as well right? So what difference does that make with saving a token in the cookies?
2
Answers
TLDR: store it in the cookies + add some flags to it.
Here is my other answer,
HTTPOnly
and withSecure
adds a layer of security to it.And that one should probably be totally fine.
XSRF is something that should not happen on your website but if somebody got caught by phishing, you can’t really protect the website more than that.
The security realm is a big thing, a system will never be bullet-proof: it’s more of a matter of following the best practices as much as possible.
You can mitigate the damages but assigning a short TTL to your tokens and checking their viability on a middleware that runs on every client-side navigation.
I’m not an expert in security but you will probably not need one either. Follow that advice and consider your job done.
Social engineering + other breaches can lead to your website being breached in far easier ways.
If you are a big corporate company that needs those drastic security measures, you also have probably spent millions on ways to lock your network security up.
If your Laravel api(assuming you are using Laravel as API) and SPA(Nuxt) are on the same domain, You can use Sanctum cookie-based session authentication.
#1. Uncomment EnsureFrontendRequestsAreStateful middleware in app/Http/Kernel.php
#2. Add SANCTUM_STATEFUL_DOMAINS in your .env file
#3. In config/cors.php, change support credentials to true
#4. Before you hit login endpoint make request to ‘sanctum/csrf-cookie’ and then POST request to login endpoint
#5. Enable the ‘withCredentials’ option on your application’s global axios instance