When working with an Angular application, I have a one-page application that communicates with the JSON web service for data.
The "login" in my Angular application really just exchanges the username / password for the token. This token is passed as the header for all subsequent requests, so the server can resolve them. This works fine until users refresh their browser window, of course (via updating or exiting the "page" and returning).
Obviously, one option would be to force the user to reenter their username / password, but this seems like a good way to not have users.
I can think of 4 options:
- Save the token in a secure session cookie. (What I'm doing now, I use only what the client can read. Not used or required on the server.)
- Save token using local storage. (It will be unsafe and manual expiration manual maintenance is required.)
- Prevent the user from updating the browser using the "onbeforeunload" code. (I don't like it when I get โare you sure you want to leave this pageโ, and I assume that others feel the same way.)
- Include the token as part of the URL. (The URL may look large and messy. There may be a physical security risk. You can do more work with bookmarks and expired tokens.)
Is option 1 the best option for this feature? Is there anything better than all this?
javascript angularjs browser api single-page-application
user605331
source share