Is there a safe way to save client-side authentication token for SPA?

Question

Is there a safe way to save client-side authentication token for SPA?

If we get the token from the rest of the server and use the AuthorizationToken header in each authorization request, we still need to save it when the browser page is closed.

The only universal way to do this is to put a cookie on the cookie. But in this way, even if cookies are not used for authentication, they can be stolen by XSS. And we cannot use the httpOnly flag. So:

Are there any other ways to protect the token and are stored in it?
If HTTPS is used during the whole session, and cookies with a token were stolen, is it possible to capture an https session with a token?

+3

authentication rest cookies xss token

Dmitry Komar Mar 04 '15 at 13:20

source share

1 answer

Thierry Templier · Accepted Answer · 2015-03-04T18:24:33+0000

My answer is perhaps a bit naive, but why not store the token in the persistence store of your browser. If you are using Angular, with the code described below:

function((...), $window) {
    (...)
    $window.sessionStorage['userToken'] = '<user-token>';
}

I do not see other approaches (exception cookies) to keep such prompts when the browser page is closed.

The problem with cookies is that your client must be a browser in order to use this feature transparently ... Also, this is really not the best approach for authentication in RESTful services; -)

, : https://templth.wordpress.com/2015/01/05/implementing-authentication-with-tokens-for-restful-applications/.

, JS, Angular, XSS. . , :

, , Thierry

Is there a safe way to save client-side authentication token for SPA?

More articles: