Where do you store auth tokens?


#1

Occasionally users open up my app and discover that they are logged out, and I am trying to uncover all the potential reasons why…

Whenever a user logs in, I get an auth token from the server which I then store in $http.defaults.headers.common.Authorization and I also place it in local storage.

When the user opens up the app again I just check to see if the token exists in local storage and I reset the $http.defaults… If the server sends me a 401, then I intercept it and log the user out. Done. Tokens don’t expire or get reset in my backend, so users really shouldnt get a 401 unless something changes on the client side.

Where do you store auth tokens? Local storage & indexdb aren’t persistent. Is my only reliably persistent option the sqlite plugin?


#2

i am using localstorage, but if you have a token based authentication your tokens should expire after a fixed duration and should be binded on an uuid otherwise it is like storing clean passwords permanently on your device


#3

If a user registers and then closes the app, I want them to be able to open it 3 months from now and not have to login again. Is this reasonable?

What do you mean about binding on a uuid?


#4

oauth2 or oauth are the current standards for token authorization.
If someone is logging in you are creating a token pair of access-, and refresh-token.

The refreshtoken expires after a fixed time. With the refreshtoken you can generate a new tokenpair if the accesstoken has expired.

If you are storing your accesstoken forever without binded to an uuid (a unique device) or a unique useragent string someone who knows that could read that token --> installs the or opens your website and use this accesstoken to be logged in