Is there any secure way to create a user session in a SPA with a Basic Auth REST API?

Question

I need to build a Single Page Application based on AngularJS that will retrieve data from a REST API. Those REST services are secured using Basic Auth + HTTPS.

Is there any secure way to provide a user session in a SPA? I mean, without extra components like a Token provider (e.g. OAuthV2). I'm thinking on a login page for authenticating the user access to the APP for a time period, as well as a logout action.

More questions:

1) The Basic Auth needs the user credentials on each request. However, the SPA should not store the user credentials for sending them on each request, right? (Is the Local/Session Storage visible in a HTTPS webpage?)

2) Do the browser automatically send the Basic Auth header after authenticating the first request? Then, is there any way to log out?

Many thanks! Sergi

Answer 1

I'd appreciate an expert opinion, but this seems to work:

• User submits its username & password at login page. AngularJS SPA sets the credentials in a cookie ($cookiestore)
• SPA calls to the backend's login service with the Basic Auth.
• If login is success, the cookie stores the credentials and it's automatically sent on each request.
• Logout should remove the cookie for removing the user's session.

Unlike Local Storage, the cookie containing the user credentials cannot be read since the communication is secured by HTTPS.