5

I'm building a web application that accesses a private API. The API that I'm consuming uses HTTP Basic Authentication over TLS. My client has requested a "remember me" functionality for the web app so that users can maintain persistent authentication on a given device.

My quick-and-dirty solution is to store the Authorization header in localStorage after it has been validated. Of course, given unmitigated access to a user's device, anybody who is worth their weight in salt could copy the auth header from localStorage and decode it to retrieve the user's login/password combo.

Aside from total device compromise, are there any other security implications from storing this type of sensitive data in localStorage? Is localStorage acceptable as a store for sensitive data such as passwords? If not, how would you persist such data on a user's device beyond an individual browser session?

(I wish everybody could just use his or her private key...passwords are so 90s)

EDIT After reading HTML5 localStorage security it seems clear that storage of sensitive data in localStorage in general is a bad idea, but what better option is there for authentication persistence in this case?

Community
  • 1
  • 1
Ben Harold
  • 6,242
  • 6
  • 47
  • 71
  • You could consider encrypting it; I found a solution online. It works great. This blog post is written with PhoneGap in mind, but would work in other scenarios: https://onallthingsweb.wordpress.com/2013/12/02/javascript-encryption-for-mobile-apps/ – Brian Mains Oct 11 '14 at 01:15
  • 2
    @Brian Mains: if JS in runtime can decrypt it - then it can be decrypted by a malicious user as well. – zerkms Oct 11 '14 at 01:45
  • Is this web or phonegap? We don't know the environment, but yes, or course that is a concern... – Brian Mains Oct 11 '14 at 01:46

1 Answers1

4

I think it's a bad idea to store something related to the login or the password on the user's side.

But once an user has logged in, you can store a random string (a random hash for example) on the user's side and in your database. When the user get back, you can compare the two and if they are identical, you can log in the user. And you can ask the user to enter his password for sensitive actions (change password or login, etc.). So even if the hash is stolen, no one will be able to get the full access to this account.

Edit : this concept is already used with cookies. I've never tested it with localStorage.

Community
  • 1
  • 1
A.L
  • 10,259
  • 10
  • 67
  • 98