0

I did my authentication at server node.js using passport.js and got the token. in order to render a page at client i need token to pass along with an image URL which i want to show on the client side. How can i securely pass the token from server to client using Express framework.

Ashish
  • 279
  • 1
  • 2
  • 11

1 Answers1

0

The standard way is to use an https connection and send it as plain json data.

For storage, your options are Cookies and Local Storage. This article from 2016 recommends using cookies with the HttpOnly cookie flag set.

To dig deeper, this StackOverflow question and answer compares the security of the two options, with no strong recommendation either way.

stone
  • 8,422
  • 5
  • 54
  • 66
  • What if i store the token in user object and then pass the user object in render? for example : res.render('signin.jade', { user: req.user}); This way i can pass locals to the jade file and can access token in javascript on client side – Ashish Oct 03 '17 at 23:00
  • Since you specifically asked about passing token from client to server, I assumed you meant in an ajax call. Passing it in the rendered html could work too. What are you planning to do with the token once it gets to the client? – stone Oct 04 '17 at 00:13
  • You will probably want to store it in a cookie or localstorage. (Otherwise, users will have to log in every time they load a page.) One way that is often done is to log in with an ajax call, store the cookie on the client, and then request a new page that is behind the login wall. After storing the token, every subsequent request passes the token back to the server, either automatically with cookies, or in the auth header. – stone Oct 04 '17 at 00:18
  • Yeah i can do it in cookie and local storage to store the token but is it safe to store the token there ? – Ashish Oct 04 '17 at 18:05
  • 1
    Whether safe or not, those are your only options! But in terms of safe, meaning, can't be read by hackers, in general they're no less safe than the browser window. So anything you're willing to send out to the user is not made less safe by storing it in localstorage or a cookie. Think about it this way - you _want_ the user to have this token, you're intentionally giving it to them. It's not a secret that you want to hide from them. You might be thinking of the encryption key used to generate tokens; _that_, you would never want to send out over the web. – stone Oct 04 '17 at 21:01
  • There is a set of best practices for setting cookies and localstorage contents that you'll want to read to ensure you use them in the most secure way possible. – stone Oct 04 '17 at 21:06