Search code examples
asp.net-web-apioauthaccess-token

Is is safe to store access token in session storage of client browser?


I am using Token based authentication in web API to authenticate a user.I am using clients browser session storage to store access token.Is it safe to do so? Where should i store it make it safer.

$('#btnLogin').click(function() {
    $.ajax({
        // Post username, password & the grant type to /token
        url: '/token',
        method: 'POST',
        contentType: 'application/json',
        data:
            {
            username: $('#txtUsername').val(),
            password: $('#txtPassword').val(),
            grant_type: 'password'
        },
        //response(Access Token) stores inside session storage of Client browser.
        success: function(response) {
                sessionStorage.setItem("accessToken", response.access_token);

Solution

  • It is perfectly safe to use localStorage or sessionStorage to store client tokens to perform subsequent authenticated requests to your api, this, as long as you have taken good meassures in your api in place to manage that token and keep it safe:

    • Generated token doesn't contain part or the whole the credentials (user or password.

    • The token is not just base64(username:password) as that can be easily decoded and compromise the user credentials.

    • Token has some expiration.

    • You are using https to call your api, to ensure the requests and responses are encrypted. So anyone "peeping" doesn't see the token or the credentials when making the request.

    • Token doesn't contain sensitive information

    • Token is signed (this would be great!, it depends on what type of token you are generating) so no one can tamper with the token, in case that token is associated with a user id or contains the expiration itself.

    • Token is not short (length), or easy to "guess", generate (think of a bruce-force attack). A signature really helps with this, especially with expiration that are part of the token itself (e.g see JWT tokens).

    -

    Local or session storage storage is just as safe as a cookie, see it this way. If the client's device is compromised, cookie or local storage, the whole thing is compromised. So it won't make much of a difference at that point.