IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [local-storage]

55 questions
3
votes
1 answer

How secure is HTML5 web storage (sessionStorage and localStorage)?

I'm thinking of using either sessionStorage or localStorage to store some important user data. The extension's functionality will only work in the context of a particular website that defaults to HTTPS. The data isn't confidential but I want to…
user5508297
  • 171
  • 1
  • 5
2
votes
1 answer

Cookies VS localStorage (JavaScript Security)

I know that HTTP requests made by the site get the browser's localStorage for a site, and document.cookie is encrypted for HTTPs websites, but I'm still wondering the risk of storing sensitive information, because even if the hacker got the…
Parking Master
  • 241
  • 1
  • 9
2
votes
2 answers

What wrong with this system to proactively check if customers' passwords have been found in a breach?

Let's say that during account creation, I already prohibit passwords known to be reused from breaches of other sites, like if it's in the Have I Been Pwned list. But breaches happen all the time, so what if my customers' passwords show up in the…
Han Seoul-Oh
  • 121
  • 5
2
votes
2 answers

Is LocalStorage in web browsers safe enough to store passwords?

I currently have a system I'm building where users can enter an email address and password into my login page, and if they click the signup button after doing that, it stores that data in LocalStorage, before redirecting the user to the signup…
Charlie Fish
  • 161
  • 1
  • 6
2
votes
1 answer

How is security risk of storing authentication token in localStorage compared with cookies?

I've read that it's a bad idea to save Single Page App's encrypted authentication token in browser's localStorage because this makes your app vulnerable to XSS attack, and when the token is stolen, the hacker can disguise as the user and do…
Milkyway
  • 165
  • 1
  • 4
2
votes
1 answer

Data extraction, temporary storage and audit log - Advice needed

At work, we are planning to take down a database for 24 hours. We are not going down the track of creating a "Hot standby", the DB will be completely offline throughout. During the downtime, we would like limited access to some information from the…
bluffmast3r
  • 71
  • 4
2
votes
1 answer

Storing Username in sessionStorage: bad idea?

I am working on React-Django application that uses JWT for authentication. The user signs in with their username and password, the server validates and responds with JWT and username, and (currently) I am only storing the JWT in sessionStorage. That…
cjones
  • 223
  • 2
  • 7
2
votes
0 answers

Is it a good practice to combine cookies and local storage to protect against XSS and CSRF?

We know that cookies with httpOnly and secure flag are immune to XSS and vulnerable to CSRF attacks. And at the same time we know that local storage is vulnerable to XSS, but can protect against CSRF. So, what if we combine them in this manner: 1)…
Jacobian
  • 207
  • 1
  • 3
  • 13
2
votes
1 answer

Storing privacy sensitive data in a local application

We have multiple desktop applications that are being used by clients on unconnected desktop computers. The application instances are being used by multiple users secured by username and password. The problem is that these users share the same…
Wouter
  • 121
  • 3
2
votes
1 answer

How to handle OAuth2 refresh_token for sessionless login?

I'm working on a single-page sessionless app with OAuth2 login and a "Remember me" checkbox. When the user checks "Remember me" on login I store the refresh token in LocalStorage for 30 days. It feels a little insecure to just leave it there until…
jwerre
  • 333
  • 1
  • 6
2
votes
1 answer

Proper way of archiving malicious files

I have to archive (and in some cases analyse) malicious files that were able to get in our company. What precautions should one take for handling these files? Given that the files won´t be executed (this happens in a seperate environment) but are…
architekt
  • 986
  • 1
  • 7
  • 18
2
votes
1 answer

JWT tokens size problem

I'm developing a single-page-app that interacts with an oAuth based service. This service grants JWT tokens (refresh and access) for a lot of resources. Potentially the number of tokens can be anywhere between 2 and 100. My question is- where…
Nir Smadar
  • 23
  • 1
  • 1
  • 4
2
votes
2 answers

Can a BIOS or UEFI infection transfer to other storage drives without the OS presence?

I am already aware that a BIOS or UEFI malware "activate" only in the OS environment. Is it possible though that a spread mechanism be activated without the presence of the OS, so that it would infect plugged storage drives (IDE, SATA or USB) with…
pgmank
  • 415
  • 6
  • 13
1
vote
1 answer

Brief staging area for unencrypted files

I have an integration workflow where: A server retrieves remote file via an encrypted connection. The file is unencrypted. The server runs linux (Ubuntu 14.04LTS). The file is downloaded to a temporary staging directory. It could be large…
tohster
  • 413
  • 5
  • 6
1
vote
1 answer

What are the major threats involved in storing the session identifiers in local storage instead of cookies?

I want to know the major security threats involved in storing the session variables in client side local storage, instead of storing it in the cookies. Can somebody give me a brief description?
Anandu M Das
  • 1,981
  • 14
  • 31
  • 46
1
2
3 4