- Newest
- Most votes
- Most comments
Yes, in view of security as priority, compare to local vs. cookies with secure transaction say HTTPS.
For Amplify Gen 2:
Amplify.configure({
ssr: true // Enables cookie storage for authentication tokens
});
For Amplify Gen 1:
import { CookieStorage } from 'aws-amplify/utils';
import { cognitoUserPoolsTokenProvider } from 'aws-amplify/auth/cognito';
cognitoUserPoolsTokenProvider.setKeyValueStorage(new CookieStorage());
Hey,
Hope you're keeping well.
By default, Amplify stores Cognito tokens in localStorage for simplicity, but this can be vulnerable to XSS attacks if your site’s scripts are compromised. For higher security in production—especially for e-commerce—you can configure Amplify to store tokens in secure, HTTP-only cookies so they’re not accessible to client-side JavaScript. In Amplify v6 (Gen 2), you can enable SSR mode with Amplify.configure({ ssr: true }), which uses cookies automatically. For older Amplify versions, set a custom CookieStorage via cognitoUserPoolsTokenProvider.setKeyValueStorage. Make sure your cookies have Secure and SameSite=Strict attributes and that you’re serving over HTTPS.
Thanks and regards,
Taz
Relevant content
- AWS OFFICIALUpdated 4 years ago
- AWS OFFICIALUpdated 4 years ago
Thanks for your response! The tokens become cookie storage now. But this is not HttpOnly (like the picture below), still a possibility of an XSS attack. Do you have an idea to enable HttpOnly cookies? i have read this documentation( https://docs.amplify.aws/nextjs/build-a-backend/server-side-rendering/#experimental-perform-authentication-on-the-server-side-and-enable-httponly-cookies ), But it seems only for Managed login feature. I appreciate your assistance!