Geek Answers Handbook

Why can't I store the oauth update token in the browser?

I want to save the oauth update token in the browser. The reason I want to save it is because the application can update the access token and allow the user to continue the session without interruption. I also want to get rid of the need to cache any type on the server to store tokens, which makes it workable.

I was told that saving the update token in the browser is incorrect, because it is unsafe.

I think that everything is in order, because:

  • The icons will be stored in httpOnly, a secure session cookie, so they should not be vulnerable to XSS or the person in medium attacks, and they will be dropped when the user closes the session.
  • All communication with the server is via HTTPS
  • update token may be invalid if suspicious activity is detected.
  • Most importantly, you cannot use the update token if you do not know the secret of the client, which will be known only to the server.

Am I really mistaken in thinking that everything is in order? Please explain why!

+7
security authentication web-applications refresh-token oauth2
source share
1 answer

Storing tokens in httpOnly, a secure cookie, is probably best for security. Sometimes the problem is that the httpOnly cookie is not good enough due to other (insecure) reasons, because Javascript obviously does not have access (that's the point). Therefore, people sometimes want to store tokens in other browser stores, such as localStorage, or slightly better, in JavaScript objects, both of which are significantly less secure than the httpOnly cookie (but it can still be good enough for some applications).

Storing a token in httpOnly and a secure cookie makes it largely equivalent to a session identifier, and its security will also be the same in this regard (it is obvious that other aspects may be different).

+4
source share

More articles:


All Articles