OAuth flow signed cookie & session tokens

Shopify Partner
3 0 0

I have recently started studying the development platform provided by Shopify and I am trying to create my first application.
I know that Shopify provides a handy CLI to essentially create a skeleton of an application with everything already configured. But, since the I am not really comfortable with the languages supported I have decided to build everything from scratch with a language I am already familiar with.
I followed the documentation provided here (https://shopify.dev/docs/apps/auth/oauth/getting-started) and I was able to successfully implement a basic application.
I have noticed Shopify has been pushing developers to use session tokens (https://shopify.dev/docs/apps/auth/oauth/session-tokens/getting-started) instead of cookies, no problems I can look into it as well.
So my understanding is that the platform will deprecate cookies at some point, but the OAuth documentation clearly states we should be using cookies. More precisely, to store a nonce value the application randomly generates and associate it to the state query parameter when redirecting to the authorize endpoint. The same value is passed back by Shopify when redirecting back to the app with the authorization code. At this point the app should check if the nonce value matches the value stored in the cookie/session, essentially providing a security layer against CSRF attacks, I believe.
So, how do I completely replace cookies with access tokens in my application if the documentation itself states they are still required?. Should I use cookies only for the step I mentioned and do everything else with session tokens or what?.

Replies 2 (2)

Shopify Partner
397 40 166

Hi Giovy,


You don't have to store the nonce in a cookie, they just say that you have to be able to link it back to the original request, how you store the value is up to you.


Your app, if it is an embedded app within the Shopify admin, needs to be able to work with 3rd party cookies turned off. E.g. in Incognito mode with block 3rd party cookies turned on.  In this case you will not be able to set cookies in the browser or use local storage or anything like that.


If you build an app for Shopify, but not have it as an embedded app then you can use cookies as you like since it is not embedded within an iframe in the Admin.




- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution
Shopify Partner
3 0 0

Thanks a lot for your reply, sorry if I am replying only now but I have just seen it.
What you say makes sense. Maybe the documentation (https://shopify.dev/docs/apps/auth/oauth/getting-started) should be updated since it is still clearly talking about a signed cookie to store the nonce value.
I will check how this is implemented in the skeleton application generated via the CLI.