Skip to main content
important

This is a contributors guide and NOT a user guide. Please visit these docs if you are using or evaluating SuperTokens.

Store tokens (access and refresh) in cookies in header based auth mode

Status

This is just a proposal so far, it hasn't been accepted and needs further discussion.

Status:
proposed
Deciders:
rishabhpoddar, porcellus
Proposed by:
porcellus
Created:
2022-10-25

Context and Problem Statement#

In header based auth mode we have to decide where to store our tokens on the frontend.

Considered Options#

  • Cookies
  • Localstorage (or other similar)

Decision Outcome#

Use cookies, the disadvantage of no sharing between subdomains is huge.

Pros and Cons of the Options#

Cookies#

  • Consistent with front-token
  • Overriding all token storage can be done by just overriding cookies
  • Sent to the frontend server (minor)
  • Cleared in Safari after 7 days of inactivity (Source)
  • Local storage#

  • Very simple & easy to override
  • During development removing a session would require clearing both localstorage and cookies
  • No way of sharing between subdomains
  • Inconsistent or requires changing the front-token storage
  • Cleared in Safari after 7 days of inactivity (Source)
  • Which frontend SDK do you use?
    supertokens-web-js / mobile
    supertokens-auth-react