I'm currently building an API with Symfony, to make the authentication secure I'm using the LexikJWTAuthenticationBundle with JWTRefreshTokenBundle and everything is setup so both the BEARER and refresh_token are send in a secure httponly cookie. Here is my setup :
security.yaml
security:
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
api:
pattern: ^/
stateless: true
entry_point: jwt
jwt: ~
json_login:
check_path: /login_check
success_handler: lexik_jwt_authentication.handler.authentication_success
failure_handler: lexik_jwt_authentication.handler.authentication_failure
refresh_jwt:
check_path: /token/refresh
logout:
path: api_token_invalidate
delete_cookies:
BEARER: null
refresh_token: null
lexik_jwt_authentication.yaml
lexik_jwt_authentication:
user_identity_field: email
secret_key: '%env(resolve:JWT_SECRET_KEY)%'
public_key: '%env(resolve:JWT_PUBLIC_KEY)%'
pass_phrase: '%env(JWT_PASSPHRASE)%'
token_ttl: 3600
token_extractors:
cookie:
enabled: true
name: BEARER
set_cookies:
BEARER:
httpOnly: true
samesite: none
secure: true
path: /
domain: '%env(COOKIE_DOMAIN)%'
lifetime: null
gesdinet_jwt_refresh_token.yaml
gesdinet_jwt_refresh_token:
manager_type: mongodb
refresh_token_class: App\Document\RefreshToken
ttl: 86400
single_use: true
cookie:
enabled: true
remove_token_from_body: true
http_only: true
same_site: none
secure: true
path: /
domain: '%env(COOKIE_DOMAIN)%'
Everything works fine when I run it locally with Postman. When I log in, I get both cookies and when I log out both cookies are removed. But on production only the refresh_token cookie is removed. I am also sending a request with Postman so I don't think that the problem is the cookies themselves. As the cookies are httponly I can't access it from the front-end and being unable to remove the BEARER cookie is problematic because it leads users to be logged and unlogged at the same time.