Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

Tek5's avatar
Tek5
OP
7 years ago
Level 1

Bearer and session token

Hi! My Laravel application is for the most part a pretty standard REST API, using Passport Bearer Tokens for authentication, but I want to also use it for static content delivery (files, images). Of course, I could just request these files via javascript request, but these files can be huge, so I want to use the browser caching mechanism to take care of it.

The problem is, that only authenticated users should be able to access these files and I can‘t add the Bearer Token to e.g. a standard img-tag.

So I thought about creating a middleware that creates and adds a "file access" cookie to the response, which is then used by the browser.

My questions about it:

  1. Does this make sense or is there any better option?
  2. From a security point of view: Is it ok to just put the user id into the encrypted cookie, so that I then in the non-REST-API part I can extract the user id from the cookie and use this to check if the user is allowed to view the requested file?

Thanks for your help!

Best regards

Tek

0 likes
0 replies

Please or to participate in this conversation.