Is it safe to store a sensitive data in Local Stoarge or session storage? Localstorage allows to any attacks for sensitive data

Question

In web application , How secure is local storage in Html5 or else is there any other way to secure the sensitive data in local storage.

Project Structure:

Front End: Html5,Angular js, Middletier: Asp.net webApi , BackEnd :Sql Server.

Once user login into the page, that credentials is encrypted by using some cryptography algorithms.It will be stored in db.

After that every child action like products list, order details, book history ,add product need to validate that.

While refresh after the page, data gets lossed so need to persist the data so i have choose localstorage. stored the username and password encrypted using some js algorithms and in put in local storage.

I feel it as not safe , because of any one can steal the data from the browser tools.

Is there any alternative approach in this scenario or else this approach is secure.

can anyone help me to process.

Answer 1

There is something that every Webapp Craftsman must know:

There is no repository beyond your firewall that can be fully secure. Why? Because the open door that you NEED to allow your application manipulate the data is accessible to everyone.

Imagine that you decide to encrypt the content of the local storage.

This will prevent someone with access to the browser's local storage (e.g. the developer tool) to be able to read/write the data. But how your application will access the data? You have two options:

1. Send the encryption algorithm + passphrase within the client-side app. This will expose all your data if someone manage to read the code of your app and access to memory of the browser (e.g. the developer tool)
2. Send every data from the client-side to the server to be decrypted there. Well ... this is pointless. Is better to store the data in the server for that matter.

You can try as much as you want, you will need an open door, and that open door can be use by anyone.

But I've a question for you: Do you really need a fully secure repository in the client side? This kind of repository weren't created for be fully secure, but they are secure enough!

For example, the session cookie of your web app is stored by the browser right? And if someone steal that cookie, it can impersonate the user and your application will never notice it, right? This is pretty scary when you think about it.

Nowadays nobody put to much thinking on this because browsers are secure enough to protect cookies from malicious access. And of course, they did the same to protect the local local/session storage, IndexedDB, WebSQL, etc.

So, if your data is more precious than your user session, keep it in the server. If not, go ahead and put it in the browser.

PRO TIP: Consider encryption when storing in a no secure repository to make it harder to get. But remember that this comes at a price: you will not be able to use the query system of those repositories to search over encrypted data.