Level 63
You can for example add the user_id and some other information (is_admin, email, ...) in the encrypted session cookie with token: jwt.sign(...). You can use the js-cookie package.
1 like
Jun 7, 2022
3
Level 1
Laravel Sanctum API & React: securely check if user is logged in
Hi, I followed this tutorial https://laravel-news.com/using-sanctum-to-authenticate-a-react-spa to create a simple app using Laravel Sanctum and React. Everything worked out pretty good. However, this tutorial and many others tend to store user details such as userId, email and isLoggedIn (as boolean), using sessionStorage or localStorage. Before getting access to sensitive routes and data it is checked whether isLoggedIn is true for example. This does not seem very secure to me, since users may set these values themselves within the developer console.
I'm aware that the auth:sanctum middleware secures sensitive API endpoints server side, however, users could easily get access to the members only area. So, is there a best-practice to securely check if a user is logged in before accessing protected routes?
Level 1
@vincent15000 What if we have email stored in cookie and then user interact with the page after some time and session is expired on backend how can we detect that in frontend and log the use out?
1 like
Level 63
@haseebch0098 For each request, you need to check if the user is logged in and not only use the email stored in the sessionStorage.
For example before each request I retrieve the user data by using the session cookie. If I get the data, that means that the user is logged in, instead he's not logged in.
This way is the same in a common laravel / blade application.
Please or to participate in this conversation.