I would like to know this too

Hey Pirvan, you can download the videos for offline by clicking the icon within each part. Perhaps we should make that clearer.

Also if a client has a nefarious browser extension they could also grab the token and pretend to be the authorized user and do real damage.

You're right about the XSS attack possibility, so you'd need to take steps to make sure that possibility is limited as much as possible. In my opinion it's fine to store them there though, it's not a categorical no.

I will update the course to include appropriate cookie storage anyway.

Thanks for responding! You might be correct in that one should take time to harden their site against XSS. Although mistakes do happen and I could argue that it would be an easier fix to limit the authentication to an httpOnly cookie.

I haven't tested this, but my theory is that one could serve the static files from the apex domain, and the backend through an subdomain (api.website.com). The static Vue.js login process just sends the request to the api which returns the httpOnly cookie and a body of true/false. This way the session would persist on the subdomain level and the Vue.js client knows to hide the login view and continue fetching the user data. Benefit of this is that Vue.js doesn't handle authentication in any way, besides sending the data forward. Tokens and all that would be handled by the browser.

Edit: I don't mean to shove 💩 on your face, but to improve the security aspect for everyone. Here's some who arguably know security better than any of us: https://auth0.com/docs/security/store-tokens#don-t-store-tokens-in-local-storage

I watched this entire course and I wanted to implement the same thing while using httpOnly cookie(s) but I am stuck here https://stackoverflow.com/questions/58710013/httponly-cookie-not-being-set-stored-laravel-vue. Could you help?

Agree 100% and appreciate the feedback. I'll definitely get the course updated.

Cookie storage option would be great, since I've seen many warnings against storing JWT's in the browser's local storage.

Any idea when the Http ONLY cookie update will be here :(

Also looking forward getting the alternative solution for handling the "session" via the httpOnly cookie or similar. Any estimate when it might be available?

Never mind, I didn't set up the
'defaults' => [ 'guard' => 'web',

to

'defaults' => [ 'guard' => 'api',

Glad you sorted it!

It's recorded and ready to go, and will be released shortly.

That's a good news. THANK YOU!

Hi Alex

I just checked out this series again and the index suggested that this course had been updated 6 minutes ago. I was very pleased as I thought this meant that the httpOnly cookie video and/or the 2FA video was available. However, when I looked at the list of videos in the series, there are still 12 so I'm not sure if you've uploaded the new material but maybe forgotten to enable something to expose them for viewing.

I hate to appear to nag about this as I'm sure you have plenty to keep you out of mischief!

Iain

Hey Iain, you might have seen the incorrect timestamp through search (needs fixing).

The 2FA course is already released though, here's the link:

https://codecourse.com/courses/vue-two-factor-authentication

Ah, I see Alex - thank you.

I also looked into the Kelly's post and the stack overflow to which he referred (https://stackoverflow.com/questions/58710013/httponly-cookie-not-being-set-stored-laravel-vue). The post there is very detailed and Kelly reports what he had to do to get it working as required. I haven't got as far as implementing the front end yet as I'm working my way through your API course. When I have completed this, I will make a start on the front and hope that I can get the HttpOnly cookie working as required. From what I have read, this is the safest way to protect the token ... until someone finds a way around it!

Iain