$localStorage to store user info

Question

Say I have a web app which is using angularjs (not a SPA though). In that I have a login mechanism which uses the angular $http service to make a call to the appropriate route and once the credentials have been verified it sends a JSON containing user info such as

 {
    firstName : "John",
    lastName : "Doe",
    email : "john.doe@xyz.com",
    profileURI : "somelink.com"
 }

I want to store this JSON in the browser so I can access and show it across multiple pages (inside the navbar).

So, is it recommended/good practice to use $localStorage to store such data? Are there any security concerns?

If you want to store it locally, local storage seems like a reasonable option. What security concerns do you think there would be? Is there anything sensitive in this data? — David, May 10 '18 at 11:59
Its just name, contact number and profile image links. I'm just worried since it is in localStorage any other application can read it. — Taran Vohra, May 10 '18 at 12:08
What's the downside of other applications reading this data? Those other applications are also running on the user's computer, which you don't control anyway. Any information you send to the user can be read by the user and by any application the user chooses to run. — David, May 10 '18 at 12:10
So If I visit multiple websites in a day and they can capture all this data right? I kind of wanted it to be restricted only to the application for which it was meant. Do you have any idea what does others like twitter, google do to persist this information across various pages? Do they have an API call everytime user lands on the page? — Taran Vohra, May 10 '18 at 12:15
It's my understanding that local storage is at least isolated per domain, following the same rules as the Same Origin Policy: https://stackoverflow.com/questions/4201239/in-html5-is-the-localstorage-object-isolated-per-page-domain This assumes that the browser follows those rules. The user can choose (knowingly or otherwise, in the case of malware) to do whatever they want with any data stored on their machine. Your security concern is really at the point where the user interacts with your server-side application. Not so much what the user does with information they're allowed to have. — David, May 10 '18 at 12:19
Ohh, I wasn't aware of the Same Origin Policy for local storage. I think it might solve most of my concerns. Thanks! — Taran Vohra, May 10 '18 at 12:25

Sujan Gainju · Answer 1 · 2018-05-10T12:25:19.907

You have the below Json data.

{
    firstName : "John",
    lastName : "Doe",
    email : "john.doe@xyz.com",
    profileURI : "somelink.com"
 }

You have to set the json data to a variable like this.myJson = JSON_data and store it into local storage as

localStorage.set('varName', this.myJson)

Or You can set the json data separately and get it easily whenever you need it as

localStorage.set('firstName', JSON_data.firstName);
localStorage.set('email', JSON_data.email);

and get them as

localStorage.get('firstName');
localStorage.get('email');

And it is a good practice to only the data you needed to be stored in the localStorage. You should not store important data like password in the local storage. Only global/common data that you will be needed should be stored.

The question what not about *how* to store data in local storage, but rather around security concerns in doing so — Brendan Green, May 10 '18 at 12:23

$localStorage to store user info

1 Answers1