Menu
I'm working on a login system for an app in school. I can register a user that gets saved to my azure documentDB. I can then, sort of log in with the user. But it (the Token) never gets saved so that I can access the token...
The script for the log in looks like this:
var signin = function() {
var tokenUrl = "http://localhost:15746/Token";
var loginData = $("#userSignup").serialize();
loginData = loginData + "&grant_type=password";
$.post(tokenUrl, loginData).then(navigateToEvent);
return false;
}
$("#signup").click(signin);
How could I store the Token? In Local Storage? How?
664
Go to localhost:3000 or whatever port you are running it on, and go to a non-member register here and let's register for another account. Make sure it has an e-mail that you haven't used yet. It can be whatever, and hit create account. We get back the token and user object restoring the users.
On the downside, localStorage is potentially vulnerable to cross-site scripting (XSS) attacks. If an attacker can inject malicious JavaScript into a webpage, they can steal an access token in localStorage. Also, unlike cookies, localStorage doesn't provide secure attributes that you can set to block attacks.
Most guidelines, while advising against storing access tokens in the session or local storage, recommend the use of session cookies. However, we can use session cookies only with the domain that sets the cookie. Another popular suggestion is to store access tokens in the browser's memory.
To save a string in Local Storage you use
window.localStorage.setItem(key, value);
You can get the value later with:
window.localStorage.getItem(key);
Dont save a Token in the Local Storage. Its not a good Style because you open up to attackers. I found this link on my search: https://medium.com/@benjamin.botto/secure-access-token-storage-with-single-page-applications-part-1-9536b0021321.
This is a part from whats inside the page:
“It’s recommended not to store any sensitive information in local storage.” -OWASP Cheat Sheet
“Don’t store tokens in local storage.” -Auth0: Where to Store Tokens
“You are safe from CSRF, but you have opened yourself up to a much greater attack vector… XSS.” Okta: JWTs Suck
“Don’t store [JWTs] in local storage (or session storage).” LogRocket: JWT Authentication Best Practices
“It is best to avoid letting the JavaScript code ever see the access token.” OAuth 2.0 for Browser-Based Apps: Best Current Practice
36
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
