While I comprehend the importance of implementing an httponly flag in the Set-Cookie Response header to enhance security and prevent XSS attacks, there is one aspect that remains unclear to me. Specifically, I am unsure about the purpose of the "ss-tok" cookie used by ServiceStack to store the bearerToken.
As per the ServiceStack documentation, it is possible to create a stateless JWT Cookie by setting UseTokenCookie to true during authentication:
var authResponse = client.Send(new Authenticate {
provider = "credentials",
UserName = username,
Password = password,
UseTokenCookie = true
});
Despite the creation of the httponly "ss-tok" cookie upon successful authentication, I have encountered difficulties in utilizing this token cookie. It cannot be accessed via JavaScript and does not seem to be included in JsonServiceClient requests.
Even though my ServiceStack microservices are designed for secure communication, they do not receive the "ss-tok" value in any valid request. Consequently, I find myself manually setting the bearerToken for each secure request as outlined in the ServiceStack documentation.
Initially, I believed I had overlooked a crucial component in the process based on this section of the documentation. However, attempts to set the cookie value using the code snippet below proved ineffective:
var client = new JsonServiceClient(baseUrl);
client.SetCookie("ss-tok", jwtToken);
In reality, the above code appears illogical since the "ss-tok" value does not reach the resource microservices. Thus, I continue to explicitly specify the bearerToken value as shown previously:
var client = new JsonServiceClient(baseUrl);
client.bearerToken = jwtToken;
This necessitates storing jwtToken in a custom cookie within my application due to the requirement of creating multiple instances of JsonServiceClient across different areas of the app.