Are there any security issues with storing the HTTP Basic authorization header in localStorage?
I am creating a web application that accesses a private API. The API I am consuming is using HTTP Basic Authentication over TLS. A client of mine has requested a "remember me" feature for a web application so that users can maintain persistent authentication on a given device.
My quick and dirty solution is to keep the header Authorization
in localStorage
after checking it out. Of course, given the unlimited access to the user's device, anyone worthy of their weight in salt can copy the auth header from localStorage
and decode it to get the user's login / password combination.
Apart from the general compromise of the device, are there any other security implications when storing this type of sensitive data in localStorage
? Is it localStorage
acceptable to store sensitive data such as passwords? If not, how would you store such data on the user's device outside of a separate browser session?
(I wish everyone could just use their private key ... passwords are 90 seconds)
EDIT After reading the security of HTML5 localStorage, it seems obvious that storing sensitive data in localStorage
general is a bad idea, but what's the best option for authentication in this case?
source to share
I think it is a bad idea to store something related to login or password on the user side.
But once the user is logged in, you can store a random string (like a random hash) on the user side and in your database. When the user comes back, you can compare the two, and if they are identical, you can login. And you can ask the user to enter a password for sensitive actions (change password or login, etc.). Thus, even if the hash is stolen, no one will be able to gain full access to this account.
Edit: This concept is already being used with cookies . I've never tested it with localStorage.
source to share