Best place to store authentication tokens client side ... | javascript save token
Therearetwowaysyoucansaveauthenticationinformationinthebrowser:CookiesHTML5WebStorageIneachcase,youhavetotrustthatbrowsersareimplementedcorrectly,andthatWebsiteAcantsomehowaccesstheauthenticationinformationforWebsiteB.Inthatsense,bothstoragemechanismsareequallysecure.Problemscanariseintermsofhowyouusethemthough.Ifyouusecookies:ThebrowserwillautomaticallysendtheauthenticationinformationwitheveryrequesttotheAPI.Thiscanbeconvenientsolongasyouknowitshappening.YouhavetorememberthatCSRFisathing,an...
There are two ways you can save authentication information in the browser:
Cookies HTML5 Web StorageIn each case, you have to trust that browsers are implemented correctly, and that Website A cant somehow access the authentication information for Website B. In that sense, both storage mechanisms are equally secure. Problems can arise in terms of how you use them though.
If you use cookies:
The browser will automatically send the authentication information with every request to the API. This can be convenient so long as you know its happening. You have to remember that CSRF is a thing, and deal with it.If you use HTML5 Web Storage:
You have to write Javascript that manages exactly when and what authentication information is sent.The big difference people care about is that with cookies, you have to worry about CSRF. To handle CSRF properly, you usually need an additional "synchronizer token".
All-in-one web frameworks (like Grails, Rails, p...