1

I'm working on a HTML5 mobile app. The app only uses 1 html file which contains a login form. On submit javascript posts the username and password to a php script on the server which returns 'true' or 'false'.

When the authentication returns true the app changes the html5 page and stores the username and password in html5 local storage.

Since this is sensitive data my question is how to store these values in a secure way? 

function handleLogin() {
    var form = $("#loginForm");    
    var u = $("#username", form).val();
    var p = $("#password", form).val();
    if(u != '' && p!= '') {
        $.post("http://www.mywebsite.com/login.php", {username:u,password:p}, function(res) {
            if(res == true) {
                //store
                window.localStorage["username"] = u;
                window.localStorage["password"] = p;             
                $.mobile.changePage("index-2.html");
            } else {
                /// error message
            }
         $("#submitButton").removeAttr("disabled");
        },"json");
    }
    return false; }
Citizen SP
  • 1,411
  • 7
  • 36
  • 68
  • 1
    This might help: http://stackoverflow.com/questions/5555167/how-secure-is-html5-local-storage-for-a-mobile-device – Codesleuth Feb 20 '13 at 09:19
  • 1
    Also see this: https://developers.google.com/web-toolkit/doc/latest/DevGuideHtml5Storage specifically the quote `HTML5 local storage saves data unencrypted in string form in the regular browser cache. It is not secure storage.` – Codesleuth Feb 20 '13 at 09:20
  • I suggest you read about "nonces": http://en.wikipedia.org/wiki/Cryptographic_nonce – elclanrs Feb 20 '13 at 09:22
  • If you have control over the server you could make it return an authentication token instead of just true, and save that locally. That way you wouldn't need to save sensitive user data on the client. – Per Salbark Feb 20 '13 at 09:22

1 Answers1

7

I would suggest using Access tokens, since this can be updated and changed frequetly, it also doesnt reveal who the user or what their hashed password is.

http://php.net/manual/en/oauth.getaccesstoken.php

Edit: You do NOT want to use localStorage!

WeeklyDad
  • 318
  • 1
  • 4
  • 13