Saving user details in browser cookie | Adobe Higher Education
Skip to main content
M
Mahesh_Gunaje
Level 7
February 13, 2024
Besvarat

Saving user details in browser cookie

  • February 13, 2024
  • 4 svar
  • 1243 visningar

Hello Everyone,

 

For one of the feature in our AEM application, when user click on login, 3rd party login page is opened. User will enter the username, password in that. Then, on successful login, this redirects to my AEM application page and we are saving the user details(user-token, access-token) in browser cookie.  Then onwards, Application checks, whether the user details cookies are present in browser or not. If yes, that means user is logged in.  Is it the right way of storing the user details in browser cookie? Or any other approach is there instead of using the browser cookie?

How can I mitigate the risk of: if someone deliberately modifies the user details cookie.

 

Thanks in advance.

Det här ämnet har stängts för svar.
Bästa svar av Imran Khan

@mahesh_gunaje It is a best practice to always make a server side call in this case and at the same time create server side cookie and handle session over server.

Always, provide encrypted value to frontend team and decrypt at the time of getting request from FE and than send it to 3rd party API.
It will be great if you have OAuth2.0 implementation done, read more about OAuth implementation
https://medium.com/@toimrank/oauth2-0-authorization-9645ce81e3d2

In your case, it is safe, as we are directly accessing the API through the browser, and at any point in time, anyone can see details. Your third-party API must have some kind of domain check or certificate uploaded on a specific path, which the third-party API will call to verify where this request is actually coming from.

4 svar

Imran Khan
Community Advisor
Imran KhanCommunity AdvisorSvar
Community Advisor
February 13, 2024

@mahesh_gunaje It is a best practice to always make a server side call in this case and at the same time create server side cookie and handle session over server.

Always, provide encrypted value to frontend team and decrypt at the time of getting request from FE and than send it to 3rd party API.
It will be great if you have OAuth2.0 implementation done, read more about OAuth implementation
https://medium.com/@toimrank/oauth2-0-authorization-9645ce81e3d2

In your case, it is safe, as we are directly accessing the API through the browser, and at any point in time, anyone can see details. Your third-party API must have some kind of domain check or certificate uploaded on a specific path, which the third-party API will call to verify where this request is actually coming from.

    M
    Mahesh_GunajeSkribent
    Level 7
    February 13, 2024

    Thanks @imran__khan   for the quick reply and the solution.

    Have one more query.  Recently I am trying to get the Adobe Analytics report in my AEM application. Here, one major task is to get the Auth token.

     

    https://developer.adobe.com/analytics-apis/docs/2.0/guides/

    This has: OAuth Server to Server: Use a server to server account to authenticate with the API.

    https://developer.adobe.com/developer-console/docs/guides/authentication/ServerToServerAuthentication/

    For this, looks like I need to use oAuth 2.0 implementation.  Am I right?

    Earlier I thought of asking this query as a  separate question. Since, you have mentioned about oAuth2.0, I am asking here.

    - Thanks

      Umesh_Thakur
      Community Advisor
      Umesh_ThakurCommunity Advisor
      Community Advisor
      February 13, 2024

      Hi @mahesh_gunaje, if you store something in browser, always there is a chance of fabrication in the stored data that is why lots of option are available in modern browser like put cookie expiry time as your session, if you want you can save data in sessionStorage of the browser.
      Since for servers browser is a user so implementing any solution on user's session n all you have to relay on browser only.  

      Hope this helps

      Umesh Thakur

        Jagadeesh_Prakash
        Community Advisor
        Jagadeesh_PrakashCommunity Advisor
        Community Advisor
        February 13, 2024

        @mahesh_gunaje  Considering perfomance storing user details in browser cookies can be good appropriate for some use cases. but it's essential to implement proper security measures and consider alternatives based on your application's requirements and compliance needs.

         

        Below are some of the guidelines to follow

         

        • Consider using the Secure and HttpOnly flags for cookies to prevent certain types of attacks.
        • Ensure that sensitive user information is encrypted and properly validated to mitigate security
        • Session Storage and Local Storage: These are alternatives to cookies for storing data in the browser. Session storage is cleared when the browser session ends, while local storage persists until explicitly cleared by the user or the application.
        • JWTs can be used to securely transmit information between parties as a JSON object. They are commonly used for authentication and can be stored in memory or in other storage mechanisms.
        • if your AEM application integrates with third-party authentication providers, consider implementing Single Sign-On (SSO) solutions like OAuth or SAML. These protocols enable users to authenticate once and access multiple applications without needing to log in again.
          kautuk_sahni
          Community Manager
          kautuk_sahniCommunity Manager
          Community Manager
          February 16, 2024

          @mahesh_gunaje Did you find the suggestions from users helpful? Please let us know if more information is required. Otherwise, please mark the answer as correct for posterity. If you have found out solution yourself, please share it with the community.

          Kautuk Sahni
          Villkor och bestämmelserAccessibility statement

          Loading footer...