I currently use Spring Oauth 2 framework for authentication and authorization. When i google on what is the best way to store the access token and refresh token, i was recommended to store the access token in memory such as a variable and store the refresh token in a secured HttpOnly cookie. This was working fine until i faced a new issue.
I opened a new tab next to the tab where i was already logged in, now the problem is instead of directly going into the application, the login page was presented. I now again enter my username and password and login into the second tab without any issues.
But when i do logout from the 2nd tab, both first and second tab gets logged out since the refresh token cookie is shared but the access token which is not shared between tabs since its stored in a variable.
I was expecting following results
- When i do a login into my second tab, i expect the session to be separate. The reason i'm setting the refresh token in cookies instead of storing it in a variable like access token because there are multiple applications hosted in the same domain to implement SSO concept. When an another application is clicked instead of routing it to a login page, i just get a new access token for the application using the refresh token that is stored in the http only cookie
- I was told the only solution is to store the access token in localstorage or normal cookies so that i can also share the access token between tabs but it seems to be not a secure way as the token being can be stolen using XSS attack.
Hoping for a optimal solution. BTW when the user logsout, the invalidate both the access and refresh token from my JDBC token store