Adding a Set-Cookie header if 'cookie' is enabled? #646
Comments
|
Well, creating the cookie is your own responsibility, so after generating the JWT just set the cookie, for example like this: $response = new Response();
$response->headers->setCookie(
new Cookie(
'BEARER', // cookie name, should be the same as in JWT settings
'YOUR_JWT_TOKEN', // the cookie value, e.g. the generated JWT token
new \DateTime('+1 day'), // the expiration
'/', // the path
null, // the domain, null means that Symfony will generate it on its own
true, // secure, e.g. only via https
true, // http only cookie, which is the default so no need to specify
false, // raw
'strict' // the same-site parameter, can be 'lax' or 'strict'
)
);
return $response; |
|
Thanks for the complete reply! That's a great answer, I was just wondering why this isn't made default when cookie is enabled (or in another setting) since most people using it will have to do it themselves |
|
For anyone still trying to do that, instead of e.g. storing the token in local storage (which is not secure albeit being suggested way too many times...), here is an implementation example for SF4: config/packages/lexik_jwt_authentication.yaml lexik_jwt_authentication:
secret_key: '%env(resolve:JWT_SECRET_KEY)%'
public_key: '%env(resolve:JWT_PUBLIC_KEY)%'
pass_phrase: '%env(JWT_PASSPHRASE)%'
token_ttl: '%env(JWT_TTL)%'
# Add the following
token_extractors:
cookie:
enabled: true
name: __Host-JWT
config/services.yaml app.event.jwt_authentication_success_listener:
class: App\EventListener\JWTAuthenticationSuccessListener
arguments:
$tokenLifetime: '%env(JWT_TTL)%'
tags:
tag_1:
name: kernel.event_listener
event: lexik_jwt_authentication.on_authentication_success
method: onAuthenticationSuccesssrc/EventListener/JWTAuthenticationSuccessListener.php <?php
namespace App\EventListener;
use Exception;
use Lexik\Bundle\JWTAuthenticationBundle\Event\AuthenticationSuccessEvent;
use Symfony\Component\HttpFoundation\Cookie;
/**
* Class JWTAuthenticationSuccessListener
* @package App\EventListener
*/
class JWTAuthenticationSuccessListener
{
/**
* @var int
*/
private $tokenLifetime;
public function __construct(int $tokenLifetime)
{
$this->tokenLifetime = $tokenLifetime;
}
/**
* Sets JWT as a cookie on successful authentication.
*
* @param AuthenticationSuccessEvent $event
* @throws Exception
*/
public function onAuthenticationSuccess(AuthenticationSuccessEvent $event): void
{
$event->getResponse()->headers->setCookie(
new Cookie(
'__Host-JWT', // Cookie name, should be the same as in config/packages/lexik_jwt_authentication.yaml.
$event->getData()['token'], // cookie value
time() + $this->tokenLifetime, // expiration
'/', // path
null, // domain, null means that Symfony will generate it on its own.
true, // secure
true, // httpOnly
false, // raw
'lax' // same-site parameter, can be 'lax' or 'strict'.
)
);
}
} |
|
The bundle will automatically set the cookie and recommend using cookies in the next minor version. |
|
Thanks @chalasr . I wait this version impatiently.With body and localstorage(angular), i have not problem but with cookie by following previous advice and this tutorial (https://www.youtube.com/watch?v=uboIb2__qqs), i have invalid jwt token by using postman. Have a nice day. |
|
Hello, May I contact you because i always have the same error with my application symfony 5 and angular 8. The JWT token is invalid. When I put in localstorage, it's good but with cookie I have this error :
The header request give : Cookie: REFRESH_TOKEN=0a3fa8859db72db27e11d6a97cc04bf0c7af6786d66f9b1b273f29ffa4069c707f8cba94b363f5ff63515c92d2ddfacbf0382c7125c09f6a50d27afef2e2d088; BEARER=eyJ0eXAiOiJKV1QiL.eyJpYXQiOjE1ODUwNzUzNTMsIFkbWluIn0.fI5fcb7abFQe3f1-OE I delete a part of letter for secret but i have two dots. So I don't understand this problem. Could you help me ! I have no issue. Thanks a lot. |
Is this new minor version now released? I can’t find any reference to this new feature in the documentation. Thanks. |
|
Implemented in #753, released in v2.7.0 |
|
Anyone tried this ? |
|
@lionelkimbs You need some additional config to enable this feature, see https://github.com/lexik/LexikJWTAuthenticationBundle/blob/master/Resources/doc/1-configuration-reference.md#automatically-generating-cookies |
Hello,
I just started using the bundle, it works great so far, but one thing bothers me. For now, I store my JWT tokens in localstorage in my frontend application, but it is not recommended and is a security risk.
I read online that the tokens are usually stored in httpOnly cookies. I would love to do that with this bundle, as it seems to work with cookies as well:
This looks great, but with this config enabled, the response does not feature a Set-Cookie header, so that makes it useless for me.
Does it seem like a good idea to the Set-Cookie header with the httpOnly parameter? And if not, how would you suggest to use the cookies in a secured manner?
Thank you
The text was updated successfully, but these errors were encountered: