Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Mobile App Development - HTML5 LocalStorage versus SessionStorage versus Cookies

We are developing a mobile web application on the jQuery Mobile platform that requires a user to provide their username and password.

Rather than asking the user to re-enter their details each time we want to only ask them once for their username and password and then prompt them to enter a pin.

We will encrypt this pin and encrypt a user identifier string and save both either in LocalStorage or Cookie.

When the user visits the application for a second time we will test if a user identifier can be found and if so prompt them to enter a pin.

Once the pin is entered we will securely (SSL) pass the pin and the user identifier to be decrytped and validated on the server.

I've read in a few places that we should use Cookies instead of LocalStorage (from a security point of view). Would you concur with this and can cookies be used across most smart-phones?

We also need to ensure that the user is required to re-enter their pin each time they close the browser or browse to another page or exceed 30 minutes of inactivity.

To manage this I was thinking of storing a value in SessionStorage as I have read that this is more secure than LocalStorage and expires when the browser is closed. Alternatively we could use Cookies again.

Security is a key concern so I'd be intersted to hear any tips and/or alternative approaches you may have.

Many thanks in advance...

like image 692
user445069 Avatar asked May 02 '11 21:05

user445069


1 Answers

If security is your chief concern, I would not recommend using cookies since they are sent with every request to the server, which could potentially be intercepted by anyone sniffing that traffic over the network. Performance-wise, using cookies also increases the amount of data going back and forth between server and client.

For your purposes I would choose sessionStorage if you want your data to be persistent only for the life of the browser session, including as well a timestamp that you can test for session expiration. Data in sessionStorage and localStorage stays only on the client and is never sent to the server.

like image 86
Ryan Avatar answered Sep 28 '22 02:09

Ryan