PricingDocsAcademy
Bluesky ...
Wed, Dec 11, 10:15 PM

How to choose between Session Cookies, Session variable and Local variable

  • benjabievres

    1 month ago

    Hey dear Toddle Community!

    Once a use logs in (from a Login page), my endpoint returns 2 tokens.
    I need to use these token in all pages of my app.

    What do you recommend between session and local variables?

    I tested Session Cookie Access_token for one of the tokens, it worked fine on my computer, but not on my iPhone?!?! (I tried on Safari and Chrome, same result: the variable is not substituted).

    If I use session variables, how long do they last?

    How do I detect the session is expired (so that I redirect the user to the login page)?

    Thank you!
  • Lucas G

    1 month ago

    Only use http-cookies for things like access tokens
  • Other methods are not secure and are not meant to store sensitive things like those
  • Session cookies work in all browsers though
  • Lucas G

    1 month ago

    If you’re having issues with session cookies then something else is going on
  • benjabievres

    1 month ago

    @Lucas G I will try again with http-cookies then. Thanks a lot!
    👍1
  • benjabievres

    1 month ago

    @Lucas G , just a dummy question: when I select "Set Session Cookies", I can't add any other custom variable, I can only set "Access Token". How do I store the other token (or variables)? Do I use Set Session Storage? Thanks
  • Lucas G

    1 month ago

    What other cookies do you need to set?
  • benjabievres

    1 month ago

    I need to set 2 tokens
  • Once my session is started, I need to call 2 different servers using a different token
  • Lucas G

    1 month ago

    Sounds like you need to set two different session cookies
  • From two different calls
  • benjabievres

    1 month ago

    oh... How can we differentiate each cookie then?
  • Lucas G

    1 month ago

    That's a good question. I think Team toddle would answer it more accurately
    👍1
  • benjabievres

    1 month ago

    Thanks a lot @Lucas G
  • Andreas Møller

    1 month ago

    You can’t currently set more than one session_cookie
    👍1
  • benjabievres

    1 month ago

    Ok then, what about concatenating the 2 tokens with a special character and split them according to my needs (assuming I can access the session_cookie in a formula)?
  • Tod

    1 month ago

    Great energy @! Your continuous contribution to the toddle Community just made you advance to Community Level 2!
  • Lucas G

    1 month ago

    That is technically possible but not quite best practice 🤔 you can technically even use JSON ['token1', 'token2']
  • benjabievres

    1 month ago

    that's the format I use to return the 2 tokens 😊. I can try to set directly Data from the response.
  • Lucas G

    1 month ago

    It's not quite a secure approach though so I can't say it is recommended but it should work
  • Then the formula would get the appropriate index when passing it in the call
  • benjabievres

    1 month ago

    I will try and investigate. But first I need to understand why it doesn't work on my iphone
  • Lucas G

    1 month ago

    An alternative would be to use one main backend that handles auth and passes the requests along accordingly
  • benjabievres

    1 month ago

    Yes @Lucas G I'm curently using Make as the middleware, it's a good idea, I will handle my tokens differently 😊
  • Since I generate my own token to secure calls to my webhooks, I will do it differently.
    👍1
  • benjabievres

    1 month ago

    My initial goal was to call the Make API and some webhooks, according to the use-case. The Make API requires an API Key, while I can do anything for the webhooks (I manually check in the Make Scenarios). I found nice to be able to use 2 different tokens, but I can still use only one, and just accept the Make API Key everywhere 😎
  • /attachments/1305588025345966090/1305777157502664715/image.png

    benjabievres

    29 days ago

    Hello @Andreas Møller and @Lucas G I'm still struggling with setting and getting the session cookie, may I ask you for tips? Apparently, my cookie is correctly set from the response I get. But then, in the next page, the cookie.access_token seems not to be substituted with the actual value. In the Chrome dev tool, I can see that the header sent to my API is still {{ cookies.access_token}}. Besides, I can see I do have a cookie with the relevant value (is it normal I can see its value?). I think I'm doing something wrong but I can't figure it out. Thanks
    image.png
    image.png
    image.png
  • Andreas Møller

    29 days ago

    These are some very close up screen shots. It’s hard to see what I am looking at 🙂
  • Andreas Møller

    29 days ago

    Also the first chunk of a jwt (the kind of access token you use) is the header, it is not the secret part so you you don’t have to blur it. As long as you don’t show anything after the first .
  • Andreas Møller

    29 days ago

    You won’t see the access_token in the browser it is added on when the request is passed through the proxy
    👍1
  • benjabievres

    29 days ago

    Oh, what information are you looking for? I'm bluring because it's the actual token I get (it's actually an API key, and not an access_token; I don't want to hard-code it in the application, and I want to use a different API Key for different users; that's why I mimic the behavior of access_token generation 😊
  • benjabievres

    29 days ago

    Damn, never mind, I found what I was doing wrong... It was expecting "Token xxxxxxx" and I was sending "token xxxxxx".... 😅😅😅😅. Sorry about that. And thanks a lot for trying to help me! Cheers
    🙌1
  • benjabievres

    29 days ago

    Just a little question then: I understood that the browser passes the {{ cookies.access_token }} variable to the Toddle Server that proxies the call, and then this variable is replaced by the server with the actual value. The access_token stays on the server, right? And for Session and Local storage, all stays on the browser; is that a correct assumption?
  • Andreas Møller

    29 days ago

    Yes that is correct. For security reasons the browser JS cannot read the value of the cookie, therefore we send the placeholder.
    👍1
  • This approach is more secure than storing a token in localstorage.

Stop scrolling. Start building.

toddle is a visual web app builder that rivals custom code — but accessible to your entire team!

Try toddle — it's free!

© Copyright 2024 toddle. All rights reserved.