0

I am handling sessions by storing the user data in the sessionStorage of the browser using AngularJs. The basic flow I am using is as follows:

  1. Login by front-end
  2. Returning the user from node i.e back-end
  3. Storing the returned data in sessionStorage
  4. sending id of user with every request to the server
  5. clearing the storage when signing out

Is my approach correct? If not then how can I manage sessions efficiently in a MEAN app?

mayvid14
  • 1
  • 4

1 Answers1

0

Storing critical data as tokens into LocalStorage or SessionStorage is definitely not a good idea, as it is vulnerable to XSS attacks.

A better practice would be to store these informations in a cookie... However, we're not done here, as cookies are vulnerable to CSRF attacks.

Thus, best possible way to do it is to store critical infos in a cookie, and protect your clients from CSRF by storing a randomly generated session key in SessionStorage.

Check this answer : CSRF Token necessary when using Stateless(= Sessionless) Authentication?

Alexis Facques
  • 1,783
  • 11
  • 19