Cookie Security

On this page

Cookie security

On successful authentication, the Corbado Frontend API sets the following cookies:

Type	Name	Value	Path	Attributes	Default duration
session-token	cbo_session_token	JWT	Application URL	`secure` `sameSite=lax`	5 mins
refresh-token	cbo_refresh_token	Opaque string	Frontend API	`httpOnly` `secure` `sameSite=lax`	1 day

Both the session-token and the refresh-token cookies are set with the secure flag, which ensures that they can only be accessed on secure internet connections. The properties of httpOnly and sameSite will be explained in the following sections on XSS protection and CSRF protection, respectively. These sections provide further details on how these properties contribute to safeguarding against specific types of attacks.

According to GDPR, users are not required to give explicit consent for your application to use session cookies. Session cookies are considered essential cookies, not tracking cookies.

By default, the cookies are not set as wildcard cookies (e.g., *.acme.com). This ensures that, for example, they are not sent to external CDN hosts (e.g., cdn1.acme.com). Avoiding wildcard cookies is considered a good practice.

JWT Security XSS protection

Overview

UI Components

Fullstack Integration

Frontend Integration

Backend Integration

Sessions

Webhooks

Analytics

Helpful Guides

Other

Overview

UI Components

Fullstack Integration

Frontend Integration

Backend Integration

Sessions

Webhooks

Analytics

Helpful Guides

Other

​Cookie security

Cookie security