3,597 questions
Where to store Access Token after Web API Authentication?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 95%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKA%3C/text%3E%3C/svg%3E)
Kevin Azure
141
Reputation points
I am having 2 application components:
- Web API protected with JWT
- WEB APPLICATION WEB APPLICATION authenticates user with login page (username, password) to the WEB API and gets the Access-token & Refresh-token.
Where do I store the Access-token?
[so that everytime WEB APPLICATION user will send this access token, I can transfer same to WEB API]
Cookie?
Please advice.
Developer technologies ASP.NET Other
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 36%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELH%3C/text%3E%3C/svg%3E)
Lan Huang-MSFT 30,186 Reputation points Microsoft External Staff2023-03-15T03:09:14.2633333+00:00 Hi @Kevin Azure,
I think you can try using FormsAuthentication.RedirectFromLoginPage Method.
public static void RedirectFromLoginPage (string userName, bool createPersistentCookie);createPersistentCookie Boolean
true to create a durable cookie (one that is saved across browser sessions); otherwise, false.When you use CORS and send the authentication cookie to your WebApi, the WebApi doesn't care whether the authentication is from an old "Remember me" cookie or from a fresh login. All it cares about is that the cookie value passed in the Authorization header is valid.
-
Kevin Azure 141 Reputation points
2023-03-15T13:35:06.4133333+00:00 Thanks @Lan Huang-MSFT
Since I already have Access Token & Refresh Token: Can you validate my below approach too?
- Store the Access Token as Cookie for the WEBAPP
- Store the Refresh Token to Database
- Use Request Interceptor to check Cookie for every requests
- If Cookie is expiring - Use Refresh Token to generate new Access Token - Replace the Cookie
- If Refresh Token also expired - Remove Cookie - Redirect user to Login Page
-
Kevin Azure 141 Reputation points
2023-03-17T01:55:17.1866667+00:00 @Lan Huang-MSFT please advice
-
Lan Huang-MSFT 30,186 Reputation points Microsoft External Staff
2023-03-17T03:22:07.6833333+00:00 Hi @Kevin Azure,
Can you validate my below approach too?
I don't know how to help you verify your method, I don't even have your project.
Do you want to know if these methods are feasible?
Based on these methods, I can only provide posts that may be helpful to you.
Store the Access Token as Cookie for the WEBAPP
You don't know how to store?
You can check out this post on where to properly and securely store JWT tokens in web-based applications and this post on storing access and refresh tokens in cookies
Store the Refresh Token to Database
https://stackoverflow.com/a/40117262
If Refresh Token also expired - Remove Cookie - Redirect user to Login Page
https://stackoverflow.com/questions/52175302/handling-expired-refresh-tokens-in-asp-net-core
Sign in to comment
Sign in to answer