Heads up! To view this whole video, sign in with your Courses account or enroll in your free 7-day trial. Sign In Enroll

Using Cookies and JWTs for Secure Authentication

Well done!

You have completed Using Cookies and JWTs for Secure Authentication!

Sign up for Treehouse Back to Library

Managing Cookies

6:27 with Alena Holligan

We're ready to add the additional cookie settings: path, domain, secure, and HttpOnly.

Managing the Cookie

function setAuthCookie($data, $expTime)
{
  $cookie = new Symfony\Component\HttpFoundation\Cookie(
    'auth',
    $data,
    $expTime,
    '/',
    '.treehouse-app.com',
    false,
    true
  );
  return $cookie;
}

Note

If the cookie isn't working properly, one of the most common reasons is that the domain is not set properly.

When using workspaces it should be treehouse-app.com. When using your own development server, the domain may be something like localhost.

This additional setting may change based on the environment in which the site is running, so this would be a good place to use environment variables. We'll be adding environment variables with our JWT.

Related Discussions

Have questions about this video? Start a discussion with the community and Treehouse staff.

Sign up

    Related Discussions

    Have questions about this video? Start a discussion with the community and Treehouse staff.

    Sign up

    To get started, I'm going to make it easier to manage authentication cookies,. 0:00
    First, we'll make this a single auth cookie with the value being a JSON object. 0:05
    Since the value of a cookie must be string, 0:11
    JSON data works very well for allowing us to store more complex data. 0:14
    We'll create an array named data. 0:20
    And we'll set it equal to the auth_user_id, And the auth_roles. 0:24
    Make sure we close our array properly and 0:43
    we'll change cookieRoles to just cookie. 0:47
    Now we can name the cookie auth and 0:52
    pass json_encode data. 0:56
    And finally, 1:00
    we'll change our redirect cookies and just pass in cookie. 1:03
    Before we move on, let's test things out in the browser. 1:10
    Make sure we're logged out and we log back in. 1:15
    Remove that extra semicolon, try this again. 1:21
    And this time, we're going to choose Inspect. 1:29
    And we go into Application, and our Cookies. 1:34
    We can see the auth_user_id, auth_roles, and are authCookie. 1:38
    We can also use the Inspector to remove the original cookies that will no longer 1:44
    be using. 1:49
    We'll select them and press Delete. 1:49
    Now let's go back to our code. 1:53
    We're going to create a new helper function to manage our auth cookie. 1:56
    Function setAuthCookie(), 2:04
    We'll copy the cookie line from the saved user data. 2:11
    Then we'll also want to add an expiration time. 2:20
    The name of our cookie is going to stay the same, but the data and 2:29
    the expiration time will change based on creating or deleting the cookie. 2:33
    Let's pass those values into our function. 2:39
    We'll add data and expire time. 2:45
    Now let's add the additional cookie settings. 2:59
    The next thing we need is the path, we'll set this to our root path. 3:03
    The domain we're going to use is .treehouse-app.com so 3:09
    that any work space will work. 3:16
    If you're running this on your local computer, make sure you set this 3:19
    to whatever your environment is, something like localhost, possibly. 3:23
    We'll set secure to false, since work spaces doesn't use HTTPS. 3:29
    And then finally, the HTTP only will be set to true. 3:36
    Now we can call our function and pass in the data and expiration time. 3:43
    SetAuthCookie and we'll pass 3:53
    the JSON data and expiration time. 3:58
    For the expiration time, I'm 4:06
    going to use time plus 3600. 4:11
    This is 3600 seconds from now, which equals 1 hour from now. 4:18
    Let's go back to the browser to see this working one more time. 4:23
    We're going to log out and log back in. 4:28
    We'll need to return our cookie. 4:39
    Great, now we see two auth cookies, because the domains are different. 4:47
    One is set to the full sub-domain and one is set to .treehouse. 4:53
    The one that's set to .treehouse app has an expiration date, 4:59
    that's the one we're going to be using. 5:04
    So we can delete this other one. 5:07
    We're ready to remove the cookie when we log out. 5:09
    Let's open the doLogout procedure. 5:14
    To delete a cookie, we unset its value and pass a date in the past. 5:19
    We'll use our setAuthCookie function, 5:26
    And we'll pass either an empty string or expired. 5:34
    Then we need to pass any date in the past. 5:40
    To make this easy, I'm just going to use 1, 5:43
    which is one second from January 1st, 1970 and I'll set this to cookie. 5:47
    And then once again, 5:59
    in my redirect I add cookies and 6:02
    set this equal to cookie. 6:07
    Let's go try this out in the browser again. 6:13
    We go to log out, And our cookie has been removed. 6:16
    Great, we're ready to use cookies for authentication. 6:22

    You need to sign up for Treehouse in order to download course files.

    Sign up

      You need to sign up for Treehouse in order to set up Workspace

      Sign up