1

I'm making an online quiz web application with Vue js, and .NET Web API. I have JSON Web Token Auth and pass the token in local storage, also I get all my questions and answers from my API and use vuex-persistedstate to keep my state when refreshing and switching routes. I store my state in the sessionStorage but realized that this is not a good idea since I have my answers and auth token there and anyone could just go to sessionStorage and see everything. Is there an alternative place where I can store my persisted state so it is not accessible by the public users of the quiz application?

Ibrahim
  • 131
  • 2
  • 12

1 Answers1

1

Not really, if you store it on the front end, you will have it exposed at some point.
The JWT token is fine since it's meant to be public anyway (and not dangerous by itself).
As for the possible state that you do have there, you may consider fetching it only when needed.

I mean, if it's some kind of quiz thing where people need to guess it (and you don't want them to find that one out).
If it's your "regular data" that is available after a successful auth, then keep it there, no specific issues with it. You need to have it at some point and it will not get hacked under normal conditions.

kissu
  • 40,416
  • 14
  • 65
  • 133
  • Hello kissu, thank you for your advice, the problem that I'm having is that I also store the answers of the question that I ask inside the state. When someone starts the quiz and I store everything in session storage, the user can just go there and see the correct answers this is why Im looking for a way to not show them in the session storage. I was thinking to fetch them after the quiz is finished, but this way a user can still see the correct answers after the quiz is done and next time they go they would already know the anwers. – Ibrahim Dec 14 '22 at 11:48
  • 1
    @Ibrahim this is what I wrote above "consider fetching it only when needed". You can always use a basic base64 thing to encrypt it locally too I guess, so it's not in clear text (and decrypt it once needed). Or fetch it once done yes. – kissu Dec 14 '22 at 11:51
  • 1
    thank you very much for the advice. I guess I will figure out a way to either encrypt it or just fetch when I need it and not put it into state at all. Thank you once again for the help. Have a wonderful day! – Ibrahim Dec 14 '22 at 12:01