1

I'm making a ReactJS application and there's a token-based authentication (Laravel Sanctum) which gets issued upon user login which I keep in the browser's local storage. Therefore I could look up the token and use it in a HTTP client like Postman.

Another thing that worries me is that I store member information in the local storage like:

{
     name: "John Doe",
     privileges: [1, 2, 3, 4],
     jobPositionID: 1,
     departmentID: 5
}

They are not sensitive information (other than the token), but I'm new to building SPAs and I'm secured about the security aspect of it all.

ehmhrgelcighsawmlv
  • 309
  • 1
  • 3
  • 14
  • 1
    The authorisation token that is sent with the request is *always* visible to the user who is issuing the request. This is completely normal. And your server should not distinguish between requests sent from the SPA code or from Postman. – Bergi May 23 '21 at 02:23
  • @Bergi how about the user information? Would its visibility pose a threat to the application's security? – ehmhrgelcighsawmlv May 23 '21 at 03:02
  • A threat by whom? What kind of attack are you worried about? We usually assume that only a user has access to their browser, and that a user knows their profile data anyway. – Bergi May 23 '21 at 03:04

1 Answers1

3

Storing a session token in web storage (sessionStorage/localStorage) rather than Cookies is a relatively disputed subject. In essence, the main issue raised is that web storage doesn't provide any protection for the session token against XSS attacks, while Cookies support the "httpOnly" flag that prevents JavaScript from accessing the cookie, thus somewhat mitigating the issue.

You should consider using sessionStorage rather than localStorage as sessionStorage doesn't persist across browser sessions.

Also, I highly recommend reading this great post by James Kettle about storing tokens in Web Storage - https://portswigger.net/research/web-storage-the-lesser-evil-for-session-tokens

Lien
  • 88
  • 6