I’m personally using Ionic 5 React and Capacitor 2, and soon will upgrade to Capacitor 3. But the relevance of this question isn’t limited to those details.
So far I’ve seen two clusters of recommendations for how to set up authentication.
- I’ve seen some blog posts recommend storing authentication tokens in Ionic Storage and then send them with the Authentication header in HTTP calls made with axios or whatever other browser-based HTTP library you’re using.
Example: https://www.techiediaries.com/ionic/ionic-5-jwt-authentication-node-expressjs/
I assume the reason the author of that blog post is okay with storing the authentication information in the header is because the token is a JWT with an encrypted signature, so it can’t be modified. However, it could still be copied by a malicious script. Theoretically, storing authentication credentials in Storage isn’t secure, although I’m not sure how significant a concern that is with mobile apps that take reasonable precautions.
- Other people are trying to use HTTP cookies instead. This seems like the more secure approach. However, I also see that there are sometimes issues with using cookies within WebViews (example: 140205 – WKWebView does not provide a way to set cookie accept policy), and it seems people are working around this using capacitor/http, as discussed at Cookie-based authentication for iOS for Ionic React / Capacitor.
I’m posting this topic because I would prefer to avoid spending maybe days implementing one of these methods, and then go through the trouble of launching an app on the App Store / Play Store, only to find that there are obscure bugs with using whatever authentication method I have implemented.
Is there a reliable solution to implementing HTTP cookies for authentication in Ionic projects? Or is the less secure approach of storing authentication tokens in Storage (or SecureStorage) the best approach from a reliability, “it’s definitely going to work” perspective?
1 post - 1 participant