What's a secure way to cache credentials for an in-browser ajax client?

Question

1. User enters rich web app via his browser
2. User enters login credentials. Credentials are encoded and cached. (The credentials are for an in-browser REST client that will use xhr to interact with the server.)
3. User performs various tasks/updates, each of which makes an ajax request passing along the encoded credentials (basic authentication via https).
4. User clicks on a link which takes him to another resource (a full page reload occurs rather than a smaller ajax request).

Since the entire application uses an internal REST client, each request has to pass along credentials. I have no problem prompting the user for those credentials when he first accesses the site. The question is what’s the safest way to store his encoded username/password hash? If this was a single-page web app, I guess this could be safely cached in memory. However, as the user sometimes moves to other resources (step 4), I would like to allow him to continue working without having to authenticate again. This must involve caching his credentials somewhere (in a cookie or localStorage?). Anyway, I need to access his already provided credentials so that the client can continue passing them along on every request even after a full page reload.

I am concerned with doing this in a secure manner. Are there best practices for this?

Answer 1

I think either LocalStorage or cookies would be a fine place to store your credentials... personal preference would be LocalStorage. I do this with a couple OAuth based web applications.

You could choose to encrypt/decrypt the information going in and out of whatever you end up choosing:

https://stackoverflow.com/questions/2299434/bcrypt-implementation-in-javascript

As an aside, you may want to look into OAuth as there is a workflow defined in the specification for your exact use case.