Authentication in Angular: handling new tab or new browser window

This is more of a design flaw in your angular / server setup then a simple token problem.

Normally, when the user opens a link in a new window/tab that starts a clean new session. The URL would point to something that requires authentication, and since it's a new session the angular app should attempt to restore it. Either the user has signed in with remember me enabled, or they will be prompted for their username/password. After successfully authenticating the user the URL should be restored with a redirect.

So it works something like this.

http://example.com/page1 <-- user uses ctrl+click to open new tabhttp://example.com/page2 <-- user doesn't have sessionhttp://example.com/signin?url=/page2 <-- redirect to sign in with return pathhttp://example.com/page2 <-- user session restored after sign in

The signin step can be skipped wit the remember me feature was enabled by the user.

Store the session token in localStorage is the same as not having sessions. Since the token will be restored when the browser is restarted. What's the security in that?

Have you tried setting the JWT in the cookies of your domain. That way if the cookie is set it will be included in every GET/POST request you fire from your application and will resolve your new tab or new browser window issue.