Concerns about access token in URL and browser history

Hi everyone,

I’m using the latest version of lock (11.9.0) and I have some concerns about the security of redirect mode. During login in redirect mode the access token is passed to the redirect URL and is visible for a second in the browser address bar and it also appears in the browser history. My question is, is exposing the access token in the URL secure given that someone with physical access to the users computer could copy it from the browser history after the user has logged out and use it to access the API as the user until the token expires?

1 Like

Any updates to this?

Hi Andres. If you do not have MFA requirements setting auth: { redirect: false } will stop showing id_token in url. have you tried this ?

Can you set the reponse mode in Lock to “form_post”? This uses a POST to the redirect URI, rather than a GET and so the token doesn’t get placed in the URL and so end up in the browser history.


Hi Chauhan, yes, I actually switched to using redirect mode for exactly this reason: to enable MFA.

I saw that option but I only quickly tried it because I thought maybe it was for something else. How would I interpret a POST request to the browser? Would this mean I would need to receive the access token on the server and pass it somehow to the front end?

Hey there!

Sorry for such delay in response! We’re doing our best in providing the best developer support experience out there, but sometimes the number of incoming questions is just too big for our bandwidth. Sorry for such inconvenience!

Do you still require further assistance from us?