Closed ianpatton closed 2 years ago
For a web-based use-case, you can take a look at our session management options in Magic Dashboard. However, for a web3 use-case, there are additional security risks with this approach. You'll be responsible for auditing your own application's XSS risk. While our session management approach is better at reducing the surface area of XSS compared to refresh token rotation, it's still a feasible attack vector if you're not careful! For this reason, we usually recommend against using this feature for web3.
✅ Prerequisites
magic-sdk
)?❓ Question
What is the recommended way to handle sessions for web3 apps in the browser?
Most of the recommendations and example apps I have seen pass the DID token to the backend API and create sessions with the server via cookie or JWT. However, when doing that, I lose the authenticated session in Magic on subsequent page views (user.isLoggedIn is false) or after refresh in the client (react/next.js) app.
I still see magic data in IndexDB. Why is user.isLoggedIn() false?
🌎 Environment
magic-sdk
yarn