Hello Everyone,
For one of the feature in our AEM application, when user click on login, 3rd party login page is opened. User will enter the username, password in that. Then, on successful login, this redirects to my AEM application page and we are saving the user details(user-token, access-token) in browser cookie. Then onwards, Application checks, whether the user details cookies are present in browser or not. If yes, that means user is logged in. Is it the right way of storing the user details in browser cookie? Or any other approach is there instead of using the browser cookie?
How can I mitigate the risk of: if someone deliberately modifies the user details cookie.
Thanks in advance.
Solved! Go to Solution.
Views
Replies
Total Likes
@Mahesh_Gunaje It is a best practice to always make a server side call in this case and at the same time create server side cookie and handle session over server.
Always, provide encrypted value to frontend team and decrypt at the time of getting request from FE and than send it to 3rd party API.
It will be great if you have OAuth2.0 implementation done, read more about OAuth implementation
https://medium.com/@toimrank/oauth2-0-authorization-9645ce81e3d2
In your case, it is safe, as we are directly accessing the API through the browser, and at any point in time, anyone can see details. Your third-party API must have some kind of domain check or certificate uploaded on a specific path, which the third-party API will call to verify where this request is actually coming from.
@Mahesh_Gunaje It is a best practice to always make a server side call in this case and at the same time create server side cookie and handle session over server.
Always, provide encrypted value to frontend team and decrypt at the time of getting request from FE and than send it to 3rd party API.
It will be great if you have OAuth2.0 implementation done, read more about OAuth implementation
https://medium.com/@toimrank/oauth2-0-authorization-9645ce81e3d2
In your case, it is safe, as we are directly accessing the API through the browser, and at any point in time, anyone can see details. Your third-party API must have some kind of domain check or certificate uploaded on a specific path, which the third-party API will call to verify where this request is actually coming from.
Thanks @Imran__Khan for the quick reply and the solution.
Have one more query. Recently I am trying to get the Adobe Analytics report in my AEM application. Here, one major task is to get the Auth token.
https://developer.adobe.com/analytics-apis/docs/2.0/guides/
This has: OAuth Server to Server: Use a server to server account to authenticate with the API.
For this, looks like I need to use oAuth 2.0 implementation. Am I right?
Earlier I thought of asking this query as a separate question. Since, you have mentioned about oAuth2.0, I am asking here.
- Thanks
Hi @Mahesh_Gunaje, if you store something in browser, always there is a chance of fabrication in the stored data that is why lots of option are available in modern browser like put cookie expiry time as your session, if you want you can save data in sessionStorage of the browser.
Since for servers browser is a user so implementing any solution on user's session n all you have to relay on browser only.
Hope this helps
Umesh Thakur
@Mahesh_Gunaje Considering perfomance storing user details in browser cookies can be good appropriate for some use cases. but it's essential to implement proper security measures and consider alternatives based on your application's requirements and compliance needs.
Below are some of the guidelines to follow
@Mahesh_Gunaje Did you find the suggestions from users helpful? Please let us know if more information is required. Otherwise, please mark the answer as correct for posterity. If you have found out solution yourself, please share it with the community.
Views
Replies
Total Likes
Views
Likes
Replies