Replies: 2 comments
-
Hi, glad you interested and involved in the library and it's improvement. What I would really like to have, is XSS safe token storage. That can be done via cookies, but I don't think that is supported by most authentication providers. If it's supported by some, a config parameter to enable this would be awsome. An alternative to cookies could be what Auth0 mentions here; https://auth0.com/docs/secure/security-guidance/data-security/token-storage#browser-in-memory-scenarios Not sure how this would work, or if it's actually XSS safe. If anyone is more knowledgeable on these topics I be glad to hear about any proposals. |
Beta Was this translation helpful? Give feedback.
-
@idrm, and anyone else interested in this topic. The package supports using "sessionStorage" in place of "localStorage" with pull request #71, which will be available from version >=1.13 |
Beta Was this translation helpful? Give feedback.
-
Storing auth details in
sessionStorage
in place oflocalStorage
will improve security since it wipes out the data when the authenticated user closes the browser tab/window.Alternately, a new config setting can be added to indicate the type of browser storage used, which would cover cases where it's OK to retain the details past the active session.
Beta Was this translation helpful? Give feedback.
All reactions