1

Which of the browser provided client-side storage option is better?

bts_dev
  • 83
  • 1
  • 7

1 Answers1

2

Storage of an access token within local storage depends on the visibility of your application. Is it a public facing web application or an internal organization web application?

If a public facing web application, then the access token should as a minimum have a short expiry duration. This is to minimize the possibility of an active session being accessible to other users that share the same machine.

Alternatively, you can use sessionStorage (see https://developer.mozilla.org/en-US/docs/Web/API/Window/sessionStorage)

which keeps the value stored until the browser window or browser tab is closed. This is slightly better then using localStorage (see https://developer.mozilla.org/en-US/docs/Web/API/Window/localStorage)

Aside from using browser local or session storage, you can implement your own backend session management service or use a cloud based session storage provider such as Auth0 or Okta to handle the storage for you. Then you won't have to worry about session hijacking of a browser's stored tokens. This is recommended for high use, high visibility public facing web applications.

Reading user details can be done when you obtain the access token from your identity server when the user is authenticated. Then you will not have to execute additional requests to obtain other user details.

Andrew Halil
  • 1,195
  • 15
  • 15
  • 21
  • Is Auth0 or Okta storage session provider? (https://auth0.com/docs/security/data-security/token-storage#browser-in-memory-scenarios) – Jan Garaj Oct 04 '21 at 21:20
  • Yes. Both are cloud based authentication and authorization providers. – Andrew Halil Oct 04 '21 at 22:39
  • Correct. Both are cloud based authentication and authorization providers, but your answer names them as "third party session storage provider", which is correct term. – Jan Garaj Oct 06 '21 at 21:38
  • Slight amendment with correction on providers. – Andrew Halil Oct 06 '21 at 23:39
  • What's wrong with using cookie auth+csrf protection in web-based applications? Token-based authentication is for desktop/mobile apps – Pieterjan Oct 07 '21 at 11:29
  • I am only answering the original question about token storage, not necessarily endorsing use of token or cookie based authentication. I have used both before in projects. Each method has its own pros and cons. There is one good answer here that compares them: https://stackoverflow.com/questions/17000835/token-authentication-vs-cookies – Andrew Halil Oct 07 '21 at 12:41