How to securely store localstorage in angular 5

Question

Is there any way to store localstorage securely, like encrypting and decrypting the localstorage data. I don't want other users to manipulate the localstorage data. If that is not possible with localstorage, what are the other ways to store data at client side?

I have seen websql, but that is also get manipulated easily by writing queries in console.

Note: Can you please provide the solution for Angular 2+ !

Possible duplicate of [Can local storage ever be considered secure?](https://stackoverflow.com/questions/17280390/can-local-storage-ever-be-considered-secure) — Tomasz Kula, Apr 18 '18 at 10:36
@TomaszKula, so you said this question is duplicate. I didn't get any answer from your shared link. Can you tell me how to secure the localstorage. If you don't know leave it. no problem. — Sivakumar Tadisetti, Apr 18 '18 at 10:44
@LazarLjubenović Yeah, i read the answer. from that answer what I understood is that, they are saying "Don't use Javascript crypto" and "WebCrypto API, but that is not here yet". I didn't get the answer like "Use this libraray or this method to secure localstorage". That is what I want. — Sivakumar Tadisetti, Apr 18 '18 at 10:49
In that case I do not understand why is the answer you got below the one which helped you. It just repeats what he linked duplicate question said. — Lazar Ljubenović, Apr 18 '18 at 10:57

score 4 · Answer 1 · answered Apr 18 '18 at 10:49

4

No there isn't any way to store data in client side which client won't be able to manipulate.

In angular, you can save data in services but that will be cleared if user refreshes the browser.

answered Apr 18 '18 at 10:49

MD KAMRUL HASAN SHAHED

681
11
16

1

Thanks dude, for your answer – Sivakumar Tadisetti Apr 18 '18 at 10:51
welcome. Please select this as answer if you're satisfied. – MD KAMRUL HASAN SHAHED Apr 18 '18 at 10:53
@KAMRULHASANSHAHED localstorage data can be accessible until you close the browser. User's refresh won't affect the localstorage. – Suvethan Nantha Apr 18 '18 at 10:56
@SuvethanNantha I said, Data saved in angular service is cleared after the browser refreshes not localstorage data. – MD KAMRUL HASAN SHAHED Apr 18 '18 at 10:58
1

oh then fine, sorry I have mistaken – Suvethan Nantha Apr 18 '18 at 10:59
I didn't downvote either, but this is simply not true. – Gabor Lengyel Apr 18 '18 at 22:09

Gabor Lengyel · Accepted Answer · 2018-04-19T06:33:33.113

Contrary to the other answer, you can securely store any value in the client, where by "securely" I mean the value is not known to the client and/or cannot be modified. The storage mechanism can be localStorage, websql or whatever else. The catch is that Javascript code will not be able to read and/or modify such a value either, because obviously Javascript is the client from what you want to protect such data.

If you have a server-side secret (a key), you can use that to encrypt (for confidentiality) and/or sign (for integrity) any data sent to the client. This is how frameworks like Rails handle sessions by default without server-side persistance and still relatively securely.

Note that simply encrypting a cookie on the server will not necessarily authenticate its contents (see authenticated encryption), and also such a cookie would be vulnerable to replay attacks, against which you can use a timestamp or a nonce. You have to care about forward secrecy if you need it. So in short you have to take care of stuff yourself, which is not straightforward, but not impossible either.

If you only sign data but not encrypt it, Javascript may have access to it, but still won't be able to modify.

How to securely store localstorage in angular 5

2 Answers2