I am working on an application (Frontend: React, Backend: Laravel). When I make a login request I get access_token from the Laravel server. I save this access_token in localStorage.
Now the problem is that anyone can see the access_token in developer tools in the browser. access_token is also visible in request headers.
If a user is not on his seat for some time, then some other user can steal this access_token and paste in his browser and now that other user will be able to access the application as the first user. Further I have seen some discussion on other websites that localStorage is prone to XSS attack.
My question is that where this access_token should be stored. If I save access_token in some javascript variable then access_token is lost when the user closes and reopens the browser or user refreshes the page. And he will be asked to login again, which is bad for user experience.
How can I protect access_token from unauthorized access? What are the best practices?
Although, this type of hijacking is possible in facebook and other websites as well but Here are few suggestions
Add some button on that landing page to open actual website with some dynamic token authentication with restricted browser options by opening new window with javascript e.g.
www.yoursite.com/secure_login?abc=3jfj834y7827875448548hffhjdhfd8
On direct browsing of link (www.yoursite.com/secure_login) give error. Your dynamic token will serve as session key etc. It is just like CSRF functionality.