0

Goal

I have a page which verifies the user's email address, that has access to their user id. From this page they're redirected to the login page. I want their username to be filled in already. In other words, passing the username (or email) from one page to another.

Question

First thing coming to mind would be storing the username (or email) in the session storage.

  • Would this approach impose any security risks?
  • Is there any preference (in terms of security) storing either the username or email address?

Options

These are the options that came to mind, others are happily welcome as well.

  • Session storage (preferred)
  • Pass it through the URL, as queries
  • State management, e.g. Redux
Mike V.
  • 1
  • 1
  • Do you mean session storage on the backend or `sessionStorage` on the frontend? – Bubble Hacker Jun 07 '22 at 14:02
  • Not sure I get the question. You don't need to put the user's user name (or any other piece of information) in session in order to display it on a page. But if you did, it's okay as long as you take precautions to secure the session, which you should be doing anyway. – John Wu Jun 07 '22 at 14:51
  • @BubbleHacker I mean sessionStorage on the front-end. – Mike V. Jun 08 '22 at 08:16
  • @JohnWu I indeed do not need session storage to display it on a page. However, I have the username available on one page, and want to pass that to another page ,without having to do one of the following: - Put it as a query in the URL - Use state managemtn like Redux To be clear, I do not mean session storage as in e.g. expression-sessions w/ Redis cache. I mean session storage as in similar to local storage. – Mike V. Jun 08 '22 at 08:22
  • please clarify- does your workflow require the user to enter their email, at which point you auto-fill the userid as merely a convenience? or, do you withhold the userid from the user but store and use it behind the scenes along with their password? – brynk Jun 20 '22 at 02:39
  • @brynk The flow is as follows: 1. User clicks on verification url (MyWebsite.com/email/verify) from within their email 2. Once on the page, API call to MyWebsite.com/api/email/verify is automatically made, responding with their username, which is stored in SessionStorage. 3. User is redirected to MyWebsite.com/login, on which the username from SessionStorage is used to automatically have it filled in. After filling it in, username is deleted from SessionStorage. – Mike V. Jun 20 '22 at 13:05
  • assuming they also must provide a password to log in, i think the risk would lie in allowing the unauthenticated caller a mechanism to potentially link an email to a userid, ie. can i provide an email addy and then be redirected with valid userid? (but this may not actually matter in your context?) put another way, you know my userid because it's public knowledge, however, as far as i can tell you don't get my email addy from my profile, nor do you have a way of knowing my email and verifying that i have an account on sec-se (with increased hardness- email+pwd is required to log in) – brynk Jun 20 '22 at 14:02

0 Answers0