Adobe Experience Manager Sites & More

Mahesh_Gunaje · 2/12/24

Hello Everyone,

For one of the feature in our AEM application, when user click on login, 3rd party login page is opened. User will enter the username, password in that. Then, on successful login, this redirects to my AEM application page and we are saving the user details(user-token, access-token) in browser cookie. Then onwards, Application checks, whether the user details cookies are present in browser or not. If yes, that means user is logged in. Is it the right way of storing the user details in browser cookie? Or any other approach is there instead of using the browser cookie?

How can I mitigate the risk of: if someone deliberately modifies the user details cookie.

Thanks in advance.

Imran__Khan · 2/12/24

@Mahesh_Gunaje It is a best practice to always make a server side call in this case and at the same time create server side cookie and handle session over server.

Always, provide encrypted value to frontend team and decrypt at the time of getting request from FE and than send it to 3rd party API.
It will be great if you have OAuth2.0 implementation done, read more about OAuth implementation
https://medium.com/@toimrank/oauth2-0-authorization-9645ce81e3d2

In your case, it is safe, as we are directly accessing the API through the browser, and at any point in time, anyone can see details. Your third-party API must have some kind of domain check or certificate uploaded on a specific path, which the third-party API will call to verify where this request is actually coming from.

View solution in original post

Imran__Khan · 2/12/24

@Mahesh_Gunaje It is a best practice to always make a server side call in this case and at the same time create server side cookie and handle session over server.

Always, provide encrypted value to frontend team and decrypt at the time of getting request from FE and than send it to 3rd party API.
It will be great if you have OAuth2.0 implementation done, read more about OAuth implementation
https://medium.com/@toimrank/oauth2-0-authorization-9645ce81e3d2

In your case, it is safe, as we are directly accessing the API through the browser, and at any point in time, anyone can see details. Your third-party API must have some kind of domain check or certificate uploaded on a specific path, which the third-party API will call to verify where this request is actually coming from.

Mahesh_Gunaje · 2/12/24

Thanks @Imran__Khan for the quick reply and the solution.

Have one more query. Recently I am trying to get the Adobe Analytics report in my AEM application. Here, one major task is to get the Auth token.

https://developer.adobe.com/analytics-apis/docs/2.0/guides/

This has: OAuth Server to Server: Use a server to server account to authenticate with the API.

https://developer.adobe.com/developer-console/docs/guides/authentication/ServerToServerAuthenticatio...

For this, looks like I need to use oAuth 2.0 implementation. Am I right?

Earlier I thought of asking this query as a separate question. Since, you have mentioned about oAuth2.0, I am asking here.

- Thanks

Umesh_Thakur · 2/12/24

Hi @Mahesh_Gunaje, if you store something in browser, always there is a chance of fabrication in the stored data that is why lots of option are available in modern browser like put cookie expiry time as your session, if you want you can save data in sessionStorage of the browser.
Since for servers browser is a user so implementing any solution on user's session n all you have to relay on browser only.

Hope this helps

Umesh Thakur

Jagadeesh_Prakash · 2/13/24

@Mahesh_Gunaje Considering perfomance storing user details in browser cookies can be good appropriate for some use cases. but it's essential to implement proper security measures and consider alternatives based on your application's requirements and compliance needs.

Below are some of the guidelines to follow

Consider using the Secure and HttpOnly flags for cookies to prevent certain types of attacks.
Ensure that sensitive user information is encrypted and properly validated to mitigate security
Session Storage and Local Storage: These are alternatives to cookies for storing data in the browser. Session storage is cleared when the browser session ends, while local storage persists until explicitly cleared by the user or the application.
JWTs can be used to securely transmit information between parties as a JSON object. They are commonly used for authentication and can be stored in memory or in other storage mechanisms.
if your AEM application integrates with third-party authentication providers, consider implementing Single Sign-On (SSO) solutions like OAuth or SAML. These protocols enable users to authenticate once and access multiple applications without needing to log in again.

kautuk_sahni · 2/16/24

@Mahesh_Gunaje Did you find the suggestions from users helpful? Please let us know if more information is required. Otherwise, please mark the answer as correct for posterity. If you have found out solution yourself, please share it with the community.

Adobe Experience Manager Sites & More

Saving user details in browser cookie

Kautuk Sahni

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe