Token based authentication - security vulnerability?

Question

Token based authentication - security vulnerability?

We are making an Html5 AngularJS app. We use token based authentication. The authentication process registers the user, then the JWT token is returned to the application, which is stored in sessionStorage.

We requested a security audit on the application and the tester said the big problem is that the token is stored in sessionStorage. Because it can copy the token and impersonate the user from another device.

Where and how should I store this token to make sure it is safe? It's even a risk to leave it in the session store, as the hacker will need access to the actual device to carry out this attack.

considers

+3

angularjs jwt

Captain0 27 nov. '14 at 7:48

source to share

1 answer

Martin · Accepted Answer · 2014-11-27T09:17:00+0000

One way to improve security in the token store is to store the token in Cooke with the HttpOnly flag set. This would mean that the token can only be accessed if the application uses HTTP requests.

Token based authentication - security vulnerability?

More articles: