问题
I'm developing a backbone application with a REST api to a Laravel back end.
It means that I authenticate on every request, using the access token that I receive from the social media (eg. Facebook, Google, etc).
My plan was to store a client side cookie generated with Javascript to store the access token, so that I can send it to the back end to authenticate the user with my application, and so that it is possible to request resources on the server of the social medium (such as friends list, photos, etc).
Note that I make an additional check with the FB server in my back end with PHP.
Question: Is it safe to store the access token in a browser cookie generated by Javascript when this cookie is never sent to the server?
For example, is this safe practice (see image below)?
Afaik, nobody should have access to this access except for the user him/herself.
If not, I really see no way how to perform safe (REST) authentication at all... I've been poundering about this question for a very long time now.
来源:https://stackoverflow.com/questions/27176869/is-safe-to-store-an-access-token-in-a-client-cookie-if-the-cookie-is-not-send-to