IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [local-storage]

55 questions
56
votes
4 answers

Is the OWASP recommendation regarding localstorage still valid?

I am currently working on an Application which is a single page application built with Angular. It is served over HTTPS, using HSTS. For authentication, we are using Auth0. The Auth0 documentation recommends storing the access token in…
JMK
  • 2,436
  • 7
  • 27
  • 38
25
votes
2 answers

Is it safe to store a JWT in sessionStorage?

This article from Auth0 recommend storing the JWT locally in a local storage (or cookie). But this article from OWASP recommend not to story any sensitive data locally (not even sessionStorage) So, is it safe to store the JWT token locally or not?
Ghassan Karwchan
  • 359
  • 1
  • 3
  • 6
17
votes
3 answers

Is it possible to force a browser to use http in an ssl enabled (https) website?

I was doing a security research on storing the session id in local storage instead of storing it in cookies. I understand that it is not possible to tag the values in local storage as HttpOnly and so it may be vulnerable to XSS attacks. Since all…
Anandu M Das
  • 1,981
  • 14
  • 31
  • 46
15
votes
3 answers

Cordova/Phonegap: RefreshToken in localstorage

I am (partly) following a tutorial to develop a cordova app, based on angularJS. The author stores the refresh token in local storage, which was said to be very bad practice in one of the comments on that same tutorial. This is confirmed in another…
Michael
  • 5,393
  • 2
  • 32
  • 57
11
votes
1 answer

Convenient Write Once Media to attach to a computer: A USB stick or device?

What is a convenient write once media to use with a Computer, preferably via the USB interface. I often see this use-case in several ways: I have a server whose logs need to be on a medium that cannot later be erased or changed by an adversary to…
curious_cat
  • 1,013
  • 1
  • 11
  • 18
10
votes
1 answer

Authentication with JWT

I am building SPA (React/Redux) and require user authetification. I have found similar discussions, but haven't found answers for questions I outline below. Here are some options I found to implement: Option 1: Keep JWT in localStorage CSRF attack:…
Ilya
  • 205
  • 2
  • 5
7
votes
1 answer

Safe to render data directly to DOM from localStorage? XSS attack possible?

I read that localstorage is susceptible to XSS attacks. I currently store JSON Web Token (JWT) in localstorage, and I access and display data about the user through localstorage: var localstore = // localStorage object // On user login, server…
rublex
  • 171
  • 3
7
votes
1 answer

Logging in as another user - Security Issue

Two users are using same web application online. Suddenly, I checked my profile and it was data of another user. How this is possible? We both are using the same app at the same time, the app is on cloud and we store credentials on browser local…
galos79241
  • 87
  • 1
  • 2
6
votes
1 answer

Are Javascript closures a useful technique to limit exposing data to XSS?

I'm wondering if using Javascript closures is a useful technique to limit exposing data to XSS? I realize it wouldn't prevent an attack, but would it reliably make an attack more difficult to execute, or would it only make my code more irritating to…
DavidS
  • 163
  • 4
5
votes
2 answers

How to securely store application data on mobile device

How can security be enhanced to the maximum in a messaging app storing messaging history on the device (like whatsapp)? I am specifically referring to methods to minimize the risk of the data being stolen in case the device is physically compromised…
user3074662
  • 541
  • 2
  • 6
  • 11
4
votes
1 answer

How to securely store accesstoken in android

I have a web application which stores its accesstoken in localstorage. It also has an android application which is basically a webview wrapper of the web application. In this case, the local storage will be saved to apps data folder, say…
Anonymous Platypus
  • 1,392
  • 3
  • 18
  • 33
3
votes
1 answer

What's wrong with storing a username and password as a cookie?

I'm working on a legacy application that issues JWTs with a short expiry time. They do not have refresh token functionality implemented. So obviously while using refresh tokens would be the right solution, for the sake of argument assume that's not…
dwjohnston
  • 707
  • 5
  • 20
3
votes
1 answer

What data related to a specific web page can be obtained outside the browser?

The browser has several built-in storages, such as local storage or indexedDB. Does it make sense to store sensitive data in them if there is a risk that some malware can access the browser's data directory?
Denis
  • 33
  • 2
3
votes
0 answers

How can Web Crypto API and IndexedDB protect data stored on the client side against user manipulation?

Imagine web apps that are supposed to work with no or only a few interactions with the web server, for example: a browser game in which the player's level and progress are to be saved locally. a game, progressive web app or browser extension with…
Steve06
  • 131
  • 4
3
votes
2 answers

Checking a locally stored string for tamper

I'm working on a multiplayer game using WebSockets. I've decided all user data will be stored on the client, eliminating the need for authentication using passwords etc. LocalStorage 'save' -> '{"key":"value", "key2":"value2"}' 'hash' -> '
Peter Gordon
  • 133
  • 6
1
2 3 4