Nuxt•3y ago

Auth cookie

Hello Everyone, I have a nuxt 3 application with an auth system, when I log the user, i store the user data in a cookie this way :

useCookie('_auth', {
                sameSite: 'Strict',
                maxAge: 3600,
            }).value = this.user

useCookie('_auth', {
                sameSite: 'Strict',
                maxAge: 3600,
            }).value = this.user

useCookie('_auth', {
                sameSite: 'Strict',
                maxAge: 3600,
            }).value = this.user

useCookie('_auth', {
                sameSite: 'Strict',
                maxAge: 3600,
            }).value = this.user

And I have a global client middleware that will feed my pinia data thanks to this cookie

    state: () => ({
        authenticated: false,
        action: null,
        user: {},
    }),

initialize() {
            const authCookie = useCookie('_auth')

            if (authCookie.value) {
                this.user = authCookie.value
                this.authenticated = true
            }
        },

    state: () => ({
        authenticated: false,
        action: null,
        user: {},
    }),

initialize() {
            const authCookie = useCookie('_auth')

            if (authCookie.value) {
                this.user = authCookie.value
                this.authenticated = true
            }
        },

    state: () => ({
        authenticated: false,
        action: null,
        user: {},
    }),

initialize() {
            const authCookie = useCookie('_auth')

            if (authCookie.value) {
                this.user = authCookie.value
                this.authenticated = true
            }
        },

    state: () => ({
        authenticated: false,
        action: null,
        user: {},
    }),

initialize() {
            const authCookie = useCookie('_auth')

            if (authCookie.value) {
                this.user = authCookie.value
                this.authenticated = true
            }
        },

All of this works fine, the problem is that a malecious user can modify the contents of their own user's cookie to access things they shouldn't, how can i prevent it?

Lord AurelionOP•3/13/23, 11:08 PM

Ooh yeah I see will try to hash if i dont find any solution, is there no other way than to store the auth user in a cookie, how to feed my pinia states by executing the xhr request before the component renders the page?

Lord AurelionOP•3/21/23, 1:53 PM

Thanks you all, you can close this ticket. I found a way around the problem and no longer storing user data in a cookie at all, I simply execute a request to the server /api/user each time the page is refreshed, and that returns the user data to finally store them in Pinia. I still use a _auth cookie to determine if the user is logged in when he refreshes to avoid making a request to the server for no reason

Auth cookie

Similar Threads

Similar Threads

Similar Threads