1

For example if I write a function in react which updates the password state to the password input value when the input field is on change, is it dangerous to do so ?

Noiseymur
  • 41
  • 4

2 Answers2

0

Not an issue is it doesn't persist.

Storing in state is a common practice,

I have seen amplify-js sign in code where they use a state for storing password. Which is a library used for Amazon Cognito.

It's really dangerous to store in local storage.

The use of the local storage to store session identifiers is never recommended as the data is always accessible by JavaScript.

Please use Cookies to mitigate this risk using the httpOnly flag or store the token for fetch calls if you are using Mobile or Vue/React.js

A single XSS (Cross Site Scripting) attack will be able to steal all the data in these objects and/or load malicious information, so don't consider the "local storage" to be trusted and less for a session identifier/hashed password.

https://cheatsheetseries.owasp.org/cheatsheets/HTML5_Security_Cheat_Sheet.html#Local_Storage

Also go through the remaining, so you Cheatsheet.

It's will answer most of the common queries.

iraycd
  • 892
  • 1
  • 8
  • 23
  • 1
    OP isn't asking about local storage, they're asking about React state. I assume it's going to be something like `const [password, setPassword] = useState("");` and some ` setPassword(e.target.value)} type="password">` sort of pattern. – ggorlen Oct 19 '20 at 18:16
  • 1
    @ggorlen Thanks for the clarity. I will update my answer. :) – iraycd Oct 19 '20 at 18:23
-2

There Is no problem, but the state must don't have public access.

Guilherme Chilò
  • 7
  • 1