Support browser refresh

[thedug]

Using window.sessionStorage means the token will not survive a browser refresh.

What would be the advisable approach here

1. Request a new token on application startup, just in case there is already a session on the server for that user?

2. Store the token in a cookie?

3. non session browser storage could be sketchy since it lives beyond life of the browser, it could be stolen.

[pose]

Hi @thedug,

1. and 3): If you are using tokens you may not have a session on your server as you are not using cookies.

2. That's a possible approach. Another alternative would be using localStorage. Take into account that the cookie is client-side, so there is no session stored at the server.

IMHO, there is no a definite answer here but it's basically a trade off between security (sessionStorage) and UX (localStorage, client-side usage of cookies).

Hope that helps!

[thedug]

Yeah.. I'd like to avoid sessions on the service if possible. Although I did consider an auth service that would hold only auth state, for the purpose of requesting a token.

I considered using window.localStorage but was a little concerned about security.
I guess cookies would be just as in-secure.