: Single Page Web App - Auto-login security conundrum We have a single page web application written in Angular with a Java back-end. It is public facing and as part of the security model we
We have a single page web application written in Angular with a Java back-end. It is public facing and as part of the security model we use https, JWT tokens and take csrf measures. Occasionally, a user may need to make a payment. This is mediated via a third party payment service. We are legally mandated to use this service.
When a payment is initiated, a number of security handshakes take place between our server and the payment provider's server. Ultimately, users get redirected to the provider's payment page. The Angular app has now lost all of it's state information e.g. its security token. When the payment is complete, the payment service redirects back to a URL of our choice. Redirecting back to our Angular app requires the user re-login. The customer isn't happy with this.
We need to auto-login after payment. This is simple to do, but is there a way of doing this securely?
The basic solution we have in place is to save a temporary cookie generated server-side containing part of a temporary security token to facilitate auto-login. On its own the partial token is no use. To login, it must be used in conjunction with another partial token sent in the redirect URL from the payment pages. The Angular app upon reinitialisation reads the cookie, parses the URL, deletes the cookie, sends the two pieces of the token to the server using https and gets sent a new token in the http header. Is this secure?
More posts by @Connie744
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.