Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

Using a Cookie (with HTTPOnly flag) for authentication instead of plain Tokens #1564

Answered by YuriiMotov
sinkozs asked this question in Questions
Discussion options

First Check

  • I added a very descriptive title here.
  • I used the GitHub search to find a similar question and didn't find it.
  • I searched in the documentation/README.
  • I already searched in Google "How to do X" and didn't find any information.
  • I already read and followed all the tutorial in the docs/README and didn't find an answer.

Commit to Help

  • I commit to help with one of those options 👆

Example Code

def set_auth_cookie(subject: str | Any, expires_delta: timedelta) -> Response:
 access_token = create_access_token(subject, expires_delta)
 response = JSONResponse(content={"message": "Login successful"})
 # Note: The secure flag on cookies ensures they're only sent over encrypted HTTPS connections. For local development (HTTP) set it to False
 response.set_cookie(
 key="http_only_auth_cookie",
 value=access_token,
 httponly=True,
 max_age=3600,
 expires=3600,
 samesite="lax",
 secure=True,
 domain=None,
 )
 return response
@router.post("/login/access-token")
def login_access_token(
 session: SessionDep, form_data: Annotated[OAuth2PasswordRequestForm, Depends()]
) -> JSONResponse:
 """
 OAuth2-compatible token login: get an access token for future requests (sent in an HTTP-only cookie)
 """
 user = crud.authenticate(
 session=session, email=form_data.username, password=form_data.password
 )
 if not user:
 raise HTTPException(status_code=400, detail="Incorrect email or password")
 elif not user.is_active:
 raise HTTPException(status_code=400, detail="Inactive user")
 access_token_expires = timedelta(minutes=settings.ACCESS_TOKEN_EXPIRE_MINUTES)
 return security.set_auth_cookie(user.id, access_token_expires)

Description

I'm thinking about changing the authentication flow: use a cookie (with the httponly=True option) for authentication instead of sending the token in plain text. HTTP-only cookies can't be accessed by JavaScript, making them resistant to cross-site scripting (XSS) attacks. I believe this is a more secure approach, and I'm happy to implement the change, but since it would require modifying multiple files I wanted to discuss it first. I already have a POC version running locally. I copied the main backend code changes above.

Operating System

Linux

Operating System Details

Ubuntu

Python Version

Python 3.10.12

Additional Context

No response
You must be logged in to vote

There is already an issue: #189

And, in the comments to your PR it's discussed that this approach will not work in Swagger UI..

Replies: 2 comments

Comment options

There is already an issue: #189

And, in the comments to your PR it's discussed that this approach will not work in Swagger UI..
You must be logged in to vote
0 replies
Answer selected by YuriiMotov
Comment options

Storing access_token in localStorage makes server side rendering in private pages impossible.
You must be logged in to vote
0 replies
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question Further information is requested

AltStyle によって変換されたページ (->オリジナル) /