0

I'm very new to software development. I used Google login in React for the login mechanism, and store the unique Google ID for the user's id on MySQL. When success login occurs, this ID will be stored on the localStorage, so every time the user wants to get something from the database, I just pass in this ID to MySQL, this is the illustration:

// ----- Frontend ----- //
.post(URL, {id:localStorage.getItem("id")} )

// ----- Backend ----- //
id = req.body.id // Getting the id past from the frontend

// Get the items from database using this id
SELECT * FROM users WHERE user_id=id

But my problem is, what if the user opens their browser's console and changes the local storage value? This user can then access someone's information by just changing the local storage's value into something. If you know a reliable solution for this login system please let me know!

Vincent
  • 5
  • 1
  • 3
  • Instead of local storage use session cookies in the backend. Store your data in a global store like [`Redux`](https://redux.js.org/). This is the most common way. – Muhammed Bera Koç May 29 '21 at 10:17
  • @MuhammedBeraKoç do you think using JWT is better than session-cookie? – Vincent May 29 '21 at 13:34
  • I think JWT *sometimes* better than session-cookie. It only depends on your project. You have to look pros and cons and choose the better one for your case. – Muhammed Bera Koç May 30 '21 at 12:33

1 Answers1

1

Any sensitive information, like JWT token or Google login ID, should NOT be stored in localStorage, and the better option is to use HTTP only cookie.

This post answers your question and why you should use HTTP only cookie over localStorage:

https://stackoverflow.com/a/37396572/15881471

Cookies, when used with the HttpOnly cookie flag, are not accessible through JavaScript, and are immune to XSS. You can also set the Secure cookie flag to guarantee the cookie is only sent over HTTPS

Adel Tahir
  • 141
  • 4
  • 11