I have a Laravel project that uses Laravel Sanctum to generate access tokens for users.
I return the token to the front-end on a login and sign up request.
Previously, I'd use Laravel's session() function to store tokens like so:
session(['token', $accessToken]);
But I've been told this is not secure. So now I return it to the front-end (vanilla Javascript) and store it in a cookie. But I'm also being told that's not secure.
Can someone please guide me on where and how exactly I should store the token?
I've heard about setting a httpOnly flag, but nowhere actually telling me where to store the token.
You should store them in the session like you said in your post.
session(['token' => $accessToken]);
As long as you are using TLS (HTTPS) this will be safe in the majority of situations.
session()makes it vulnerable to session hijacking attacks.
This is a whole different issue that is not really related to the session itself. People can try to guess the session ID etc. Laravel uses random, long session ID's that are stored in an encrypted cookie. Unless your application has a major security flaw, you shouldn't have to worry about it.
Sure, you could copy a session cookie to a different browser, but this is just how sessions work.
If you want to be really sure that the session was not hijacked: