hey what is the intended storage for users with browser apps Ory Community #general

hey, what is the intended storage for users with b...

hundreds-psychiatrist-38730

09/04/2024, 7:51 PM

hey, what is the intended storage for users with browser apps? especially regarding logut_url's that is being created. I know that login flow returns

Set-Cookie

is Session Storage good to use?? i'm also thinking security wise.

bland-eye-99092

09/05/2024, 7:14 PM

The logout URL isn't valid forever, so you can also just create the logout URL when the user actually clicks on the logout button. Apart from that you can also store it in the application's state (if your app is client side). Try to avoid storing it in localstorage, as that can be read be other code on the page. Though, the risk is fairly limited, as the only thing an attacker could do with the logout URL is log the user out.

hundreds-psychiatrist-38730

09/05/2024, 7:17 PM

ya, after talking with some friends i came to that conclusion too. I am using react, and do use

useState

my "biggest" headache has been redirects that happened but state wasn't available yet so another redirect kicked me back to

/login

when logged in properly, the state is removed if i manually changed url to e.g.

/dashboard

so i will probably look into refreshing my state by doing something within https://www.ory.sh/docs/kratos/self-service/flows/user-login#refreshing-a-session if that is good 🤔

hundreds-psychiatrist-38730

09/05/2024, 7:17 PM

since the session token is 24h duration

bland-eye-99092

09/05/2024, 7:20 PM

Are you getting redirects from Kratos? You should also be able to use the "SPA" flows from Kratos, which mostly does not have any redirects (apart from OIDC, as that only works with redirects).

hundreds-psychiatrist-38730

09/05/2024, 7:20 PM

nae, it's react.

hundreds-psychiatrist-38730

09/05/2024, 7:21 PM

i've based my build around https://github.com/ory/elements/tree/main/examples/react-spa/src

bland-eye-99092

09/05/2024, 7:22 PM

Okay, that's good then. We mostly create the logout URL on demand, either whenever we show a logout button (and then store it in state) or just when the user clicks the button. Both are valid approaches, IMO.

hundreds-psychiatrist-38730

09/05/2024, 7:28 PM

ya, my logout isn't the problem anymore.. for now. need to solve that annoying redirect i have. it's actually 90% similar to https://github.com/ory/elements/blob/main/examples/react-spa/src/Login.tsx#L88 <-- line 88. before that redirect, i have a

await auth.login()

where that

login()

is pointing to a

const

within my

auth.tsx

where in the example within Elements are using an

useEffect()

i've removed that and just done a

Copy code

const login = useCallback(async () => {
await sdk.toSession()....... 
}, [])

This

toSession()

is the exact same one from the example. but instead of redirecting to

i redirect to

/dashboard

which has a

beforeLoad:

where i access

context

and i check

!context.auth.session.active

this is the one that fails..

session.active

is not available yet at that point in time..

Open in Slack

Previous Next