Just want to know, if Im on the right way and if this i everything ok or am I wrong:
I build an gateway server with laravel, where user can login and which redirects the requests to the right service. I also have a vue app, which is the frontend (both are on other domains: https://gw.test and http://localhost:8082). I still try to build a secure way to store the token in the vue app. I now have started to use httponly token, that noone can read the token, only the site I set when creating the cookie. I also had to change session.php config and set 'same_site' to none, because the url is not the same. Is that right? Or can I also use lax for more security. What I also not understand... when I use httponly, that says only my domain can read the cookie. Why is there also same_site=lax? Does this both not mean the same?
And anohter question... when I got my cookie with the token from my gateway... do I store the bearer token and send the beaerer with my next requests, or should i send the cookie back and create a new middlware or maybe is there a middleware.)?
Ok... it works now and I think I understand now. I use none for same_site. Because my app is on a different server with a different domain. The httponly cookie has a url that only the gateway server will get the cookie. The browser can't read the value of the cooke. I send the cookie back to gateway with each request and have a middleware, which gets the token from the cookie and set it to header.
Please or to participate in this conversation.