-1

currently I have read the RCF 6265 chapter 4.1.1 about the syntax of set-cookie headers. In 4.1.1 in the text: 

Each cookie begins with
a name-value-pair, followed by zero or more attribute-value pairs.
Servers SHOULD NOT send Set-Cookie headers that fail to conform to
the following grammar:

An in the list of grammar ther is the entry:

 token  = <token, defined in [RFC2616], Section 2.2>

In my opinion that means, that it is possible to save a JWT in a Cookie, but as I keep on reading, I didn't found a documentation about this field. Also on Wikipedia I didn't found this field.

Am I wrong with my opinion or? Or is it possible to save a JWT (JWE, JWS) in a cookie? Because on the PHP set_cookie()-Method I also can't find this "Token" field. Or is is also best practice to save the token in a cookie to and set the JWT into the value of set_cookie()-Method?

Professor Abronsius
  • 26,348
  • 5
  • 26
  • 38
michael-mammut
  • 1,917
  • 2
  • 19
  • 38

1 Answers1

1

Cookies are just a storage space for information that you want to send to the browser to be returned to you on every http request. You can store any text in there so long as it's not too long (don't know the length limit).

So yes, you can store a JWT value in a cookie if you wish, by using setcookie(). The documentation may not mention the token field by name, but again, you can name the cookie whatever you want.

BeetleJuice
  • 33,709
  • 16
  • 78
  • 137