Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Storing Credentials in Local Storage

Could I securely use local storage instead of cookies to store session credentials?

Would I need to store an encrypted hash??

EDIT: Would this be secure enough?

  • User logs in.

  • Server returns success message including salted bcrypt hash mixing userid, password, timestamp, and possibly ip address. This is saved in local storage.

  • On future connects this hash is sent, server assumes accountability as long as IP address hasn't changed, and time limit hasn't expired.

like image 232
fancy Avatar asked Oct 22 '11 13:10

fancy


People also ask

Is it safe to store passwords in local storage?

Storing something sensitive like a password in a local storage file actually simplifies the process for a hacker, because they won't need to load the cookie into their own browser.

How do I store login credentials in local storage?

For storing credentials in local storage, on successful login, generate a completely random string unrelated to user credentials. You need to store this in the database. Do not forget to add an expiry date. Pass that string to the JavaScript to be stored in local storage.

Is it safe to store user ID in localStorage?

Never store sensitive information in LocalStorage. If malicious JavaScript code is added by you or your dependencies, they can retrieve user data or tokens you use to authenticate with APIs.

Is localStorage safe for authentication?

If you store it inside localStorage, it's accessible by any script inside your page. This is as bad as it sounds; an XSS attack could give an external attacker access to the token. To reiterate, whatever you do, don't store a JWT in local storage (or session storage).


1 Answers

localstorage is just as vulnerable to being read by JavaScript as cookies are.

localstorage can be read using JavaScript from the same domain, if you control all the JS on the domain, then this shouldn't be a problem. But if any other code is executed (via injection for example, or if you share the domain with someone else), they will be able to access the storage data.

This is the same for cookies however, but typically the cookie is set to HTTPOnly so JavaScript cannot read it.

In either case, plain-text login information shouldn't be stored in either cookies or localstorage anyhow, as if someone does get hold of them, they can continuously make a new session for themselves.

You should encrypt an authenticated identifier (such as their user ID) along with the datetime of the session expiration, and then store this value in either a cookie or local storage. This token is then validated on each server call.

like image 85
simbolo Avatar answered Sep 30 '22 04:09

simbolo