[Fixed] Angular – Store MSAL AccessToken in browser cookies


Is there a way to configure msal-angular to store its accessToken configs in cookies rather than storing in localStorage/sessionStorage.

I’m having security concerns about storing the token in localStorage/sessionStorage.

Such issue is also reported on Github (check here)

I have also set the storeAuthStateInCookie to true, but this also doesn’t restrict saving the accessToken in the localStorage.

After doing research I found out that it’s a limitation in the MSAL Library. My question is that has anyone deliberately implemented this feature?

Library versions used:

  1. @azure/msal-angular: 1.0.0-beta.4
  2. msal: 1.2.1


Looks you could not do this via msal-angular, storeAuthStateInCookie is not for that, it is used to fix the issues due to security zones, and is not available for msal-angular.

This fix is not yet available for the msal-angular and msal-angularjs wrappers. This fix does not address the issue with Popup windows.

Also from this GitHub issue:

Cookie is designed to be in addition to localstorage/sessionstorage, not as an alternative. It is introduced to solve an issue with IE TrustedZones. Exclusive cookie storage only is not something that we supported in the past.

@Highspeed7 We are in middle of a major update for the library and would love to consider this once we release the current in the works changes. @navyasric to add this in our road map and update this thread as and when we plan to support this.

Maybe it will support this in the future, but currently it could not do that.

Leave a Reply

(*) Required, Your email will not be published