0

If I'm not supposed to keep the JWT idToken around (the "gtoken" cookie), but only use it for authentication, then how can I use the ...?mode=manageAccount feature, which depends on the existence of idToken in the gtoken cookie?

Keep it stored on the backend and add a redirection step where I set it before redirecting to ...?mode=manageAccount and delete it afterwards?

Daniel F
  • 13,684
  • 11
  • 87
  • 116

1 Answers1

0

It's not recommended to keep the ID token around to maintain a session, instead you should generate a separate session ID.

The operations in manageAccount(change email, change password) require the presence of a recent ID token, so having an old, potentially expired one present wouldn't be helpful.

cslink
  • 1
  • So you mean to say that one should force a new login with a new redirect to the management widget, where the idToken then gets deleted after the management page is left? – Daniel F Aug 20 '15 at 09:27