All topics

How to choose between Session Cookies, Session variable and Local variable

benjabievres

4 months ago

Hey dear Toddle Community!

Once a use logs in (from a Login page), my endpoint returns 2 tokens.
I need to use these token in all pages of my app.

What do you recommend between session and local variables?

I tested Session Cookie Access_token for one of the tokens, it worked fine on my computer, but not on my iPhone?!?! (I tried on Safari and Chrome, same result: the variable is not substituted).

If I use session variables, how long do they last?

How do I detect the session is expired (so that I redirect the user to the login page)?

Thank you!
@benjabievres
Hey dear Toddle Community!

Once a use logs in (from a Login page), my endpoint returns 2 tokens.
I need to use these token in all pages of my app.

What do you recommend between session and local variables?

I tested Session Cookie Access_token for one of the tokens, it worked fine on my computer, but not on my iPhone?!?! (I tried on Safari and Chrome, same result: the variable is not substituted).

If I use session variables, how long do they last?

How do I detect the session is expired (so that I redirect the user to the login page)?

Thank you!
Lucas G

4 months ago

Only use http-cookies for things like access tokens
Other methods are not secure and are not meant to store sensitive things like those
Session cookies work in all browsers though
Lucas G

4 months ago

If you’re having issues with session cookies then something else is going on
benjabievres

4 months ago

@Lucas G I will try again with http-cookies then. Thanks a lot!
👍1
benjabievres

4 months ago

@Lucas G , just a dummy question: when I select "Set Session Cookies", I can't add any other custom variable, I can only set "Access Token". How do I store the other token (or variables)? Do I use Set Session Storage? Thanks
@benjabievres
@Lucas G , just a dummy question: when I select "Set Session Cookies", I can't add any other custom variable, I can only set "Access Token". How do I store the other token (or variables)? Do I use Set Session Storage? Thanks
Lucas G

4 months ago

What other cookies do you need to set?
benjabievres

4 months ago

I need to set 2 tokens
Once my session is started, I need to call 2 different servers using a different token
Lucas G

4 months ago

Sounds like you need to set two different session cookies
From two different calls
benjabievres

4 months ago

oh... How can we differentiate each cookie then?
Lucas G

4 months ago

That's a good question. I think Team toddle would answer it more accurately
👍1
benjabievres

4 months ago

Thanks a lot @Lucas G
Andreas Møller

4 months ago

You can’t currently set more than one session_cookie
👍1
benjabievres

4 months ago

Ok then, what about concatenating the 2 tokens with a special character and split them according to my needs (assuming I can access the session_cookie in a formula)?
Tod

4 months ago

Great energy @! Your continuous contribution to the toddle Community just made you advance to Community Level 2!
Lucas G

4 months ago

That is technically possible but not quite best practice 🤔 you can technically even use JSON ['token1', 'token2']
benjabievres

4 months ago

that's the format I use to return the 2 tokens 😊. I can try to set directly Data from the response.
Lucas G

4 months ago

It's not quite a secure approach though so I can't say it is recommended but it should work
Then the formula would get the appropriate index when passing it in the call
benjabievres

4 months ago

I will try and investigate. But first I need to understand why it doesn't work on my iphone
Lucas G

4 months ago

An alternative would be to use one main backend that handles auth and passes the requests along accordingly
benjabievres

4 months ago

Yes @Lucas G I'm curently using Make as the middleware, it's a good idea, I will handle my tokens differently 😊
Since I generate my own token to secure calls to my webhooks, I will do it differently.
👍1
benjabievres

4 months ago

My initial goal was to call the Make API and some webhooks, according to the use-case. The Make API requires an API Key, while I can do anything for the webhooks (I manually check in the Make Scenarios). I found nice to be able to use 2 different tokens, but I can still use only one, and just accept the Make API Key everywhere 😎
benjabievres

4 months ago

Hello @Andreas Møller and @Lucas G I'm still struggling with setting and getting the session cookie, may I ask you for tips? Apparently, my cookie is correctly set from the response I get. But then, in the next page, the cookie.access_token seems not to be substituted with the actual value. In the Chrome dev tool, I can see that the header sent to my API is still {{ cookies.access_token}}. Besides, I can see I do have a cookie with the relevant value (is it normal I can see its value?). I think I'm doing something wrong but I can't figure it out. Thanks
Andreas Møller

4 months ago

These are some very close up screen shots. It’s hard to see what I am looking at 🙂
Andreas Møller

4 months ago

Also the first chunk of a jwt (the kind of access token you use) is the header, it is not the secret part so you you don’t have to blur it. As long as you don’t show anything after the first .
Andreas Møller

4 months ago

You won’t see the access_token in the browser it is added on when the request is passed through the proxy
👍1
benjabievres

4 months ago

Oh, what information are you looking for? I'm bluring because it's the actual token I get (it's actually an API key, and not an access_token; I don't want to hard-code it in the application, and I want to use a different API Key for different users; that's why I mimic the behavior of access_token generation 😊
benjabievres

4 months ago

Damn, never mind, I found what I was doing wrong... It was expecting "Token xxxxxxx" and I was sending "token xxxxxx".... 😅😅😅😅. Sorry about that. And thanks a lot for trying to help me! Cheers
🙌1
benjabievres

4 months ago

Just a little question then: I understood that the browser passes the {{ cookies.access_token }} variable to the Toddle Server that proxies the call, and then this variable is replaced by the server with the actual value. The access_token stays on the server, right? And for Session and Local storage, all stays on the browser; is that a correct assumption?
Andreas Møller

4 months ago

Yes that is correct. For security reasons the browser JS cannot read the value of the cookie, therefore we send the placeholder.
👍1
This approach is more secure than storing a token in localstorage.

How to choose between Session Cookies, Session variable and Local variable

benjabievres

Lucas G

Lucas G

benjabievres

benjabievres

Lucas G

benjabievres

Lucas G

benjabievres

Lucas G

benjabievres

Andreas Møller

benjabievres

Tod

Lucas G

benjabievres

Lucas G

benjabievres

Lucas G

benjabievres

benjabievres

benjabievres

Andreas Møller

Andreas Møller

Andreas Møller

benjabievres

benjabievres

benjabievres

Andreas Møller

Stop scrolling. Start building.

Chat with @team-toddle

Video call our CEO

Get in touch!

Product

Company

Resources

Community