i'm building a stateless authentication system for a Dart frontend and have discovered that it's quite tricky to build a stateless authentication system that's actually secure.
The stack is as follow: Dart application that does JSON POSTs to a Spring MVC backend using Jackson to convert back and forth between JSON and Java objects. Everything will be behind SSL when it goes into production.
Scenario 1: User logs in, I keep a session on the Java side - this is not stateless and will cause problems when load balancing the backend.
Scenario 2: Upon hitting the login button, a POST is done by Dart to the Authentication controller which verifies the credentials and passes back a token (which could be a bunch of UUIDs concatenated together). The token comes back to the frontend - This token combined with the username will then have to be passed along with each request. The dart application now needs to store this token somewhere, since a Dart application compiles to JavaScript, cookies seems to be not an option (JavaScript can't access cookies ?). HTML5 localstorage comes to mind, but from what I've read, it's pretty easy to hijack that token if any form of XSS vulnerability is available (and I'm guessing browser plugins and toolbars that inject JavaScript into the page can also access this token).
Scenario 3: Just like in scenario 2, I get passed back a token from the Spring MVC backend, but instead of storing it in HTML5 localstorage, I keep in a JavaScript variable and pass it on if a new window is opened. The same problem applies here, since it's inside a javascript variable, any kind of XSS vulnerability or browser plugin can nab that token and hijack the session.
So it seems for a stateless "session", HTML5 localstorage is the most convenient, but it's not secure. Is there a way to secure it or is there an alternative way that will allow me stateless authentication in the browser?
