Our implementation for authentication works like this
- User provides username/password to /login API
- API returns access token and refresh token in payload
- We store the access token and refresh token in session storage
- After a period of time, the access token expires and the server throws expiry error, on which we hit the /refresh API, which returns a new refresh and access token again to be stored in session storage.
The issue
- When a user duplicates a chrome tab, the session storage is also duplicated (the access token and refresh token) is same now in another tab.
- When one of the tab has an expired token, it will hit the /refresh API and get new refresh token and access token. While the back-end will invalidate the previous pair of tokens.
- Now one of the tab will have invalid token which causes all api calls to fail for that browser.
Proposed Solution
- Use httpOnly cookies to store the access and refresh token. Which will solve the issue for us.
- Use broadcast channel api to sync the 2 duplicate sessions
Even after a lot of research I'm unable to decide which solution would be more secure since we already have covered CSRF and XSS attack vectors as much as we can.