Currently I'm keeping the client's token in the HttpOnly cookie but I'm thinking about using Authorization header instead of cookie to provide certificate to the server. because some architecture issues are making me unable to use cookie.
But I want the token always to be deleted after the browser window is closed. which means that the token is going to have same lifetime as the "session cookie".
So I thought I could use the cookie from the client code only to store the token or any indication. but as the cookie is usually for the server, and to being sent to the server, it makes me wonder whether it is a bad practice.
and I thought I may use "onunload" event callback to delete the the token in local storage. but what if the client's computer abruptly turns off?
So my question is, Is there any better way than using cookie? or Can I go in this manner(using cookie to store the token or related indication but not to be sent to the server)?
and I thought I may use "onunload" event callback to delete the the token in local storage. but what if the client's computer abruptly turns off?
If this is sufficient for you, you can simply keep the token in a variable instead.
const token = 'some-token';
It'll be gone when the page is closed/reloaded/etc.
Alternatively, and what I think you really want, is sessionStorage:
https://developer.mozilla.org/en-US/docs/Web/API/Window/sessionStorage
The read-only sessionStorage property accesses a session Storage object for the current origin. sessionStorage is similar to localStorage; the difference is that while data in localStorage doesn't expire, data in sessionStorage is cleared when the page session ends.
sessionStorage.setItem('token', 'some-token');