I have a REST API which returns an auth token when the user is logged in successfully. This token needs to be sent in different routes for authorisation. This is working fine is my android app. But I want to use this is my website and I am not sure how should I be storing auth token in browser securely .
Asked
Active
Viewed 387 times
0
-
6Does this answer your question? [Best place to store authentication tokens client side](https://security.stackexchange.com/questions/80727/best-place-to-store-authentication-tokens-client-side) – roy.stultiens Mar 26 '20 at 08:37
-
I don't believe this should be marked as a duplicate of the question above, just because it's 5 years out of date, and i'd like to see a newer answer. – Mike Ounsworth Apr 07 '20 at 02:46
-
@MikeOunsworth True – shubham shreyash Apr 09 '20 at 12:52
-
This is meta level discussion, but the question is a duplicate, and if there's a new, better answer, it should be added there, instead, because people will find that question first. – Esa Jokinen Apr 19 '20 at 13:26
2 Answers
1
Cookies with a MUST of "httponly" and "secure" attributes are the only secure way forward. This is because in a scenario of a XSS (Cross Site Scripting) attack LocalStorage or the DOM data can be easily read by the attacker.
If you define a cookie with httponly tag Javascript can't access that value, preventing XSS attacks.
Raimonds Liepiņš
- 992
- 5
- 9
-
Storing tokens in cookies will still be vulnerable to cross-site request forgery – bhorkarg Mar 26 '20 at 22:36
-
There is the SameSite=Strict; Directive that helps address the CSRF attack, at least for me, I'd prefer a cookie approach. – keithRozario Mar 27 '20 at 01:09
0
One way would be to store the token in a Javascript object. This way it is stored in memory and will not be accessible once the tab is closed (and eventually garbage collected). It is generally considered a bad practice to store tokens in local storage or cookies as these practices are vulnerable to attacks such as XSS and CSRF (well httponly cookies prevent XSS but still are vulnerable to CSRF)
This would of course depend on the architecture of your application. Auth0 has a good article explaining different ways to store tokens.
bhorkarg
- 442
- 2
- 12
-
Wherever you store the token, it is recommended to keep its lifetime as small as possible so that in the event of a disclosure, the attack period is minimised. – bhorkarg Mar 26 '20 at 09:03