0

I have an application to which I log in using using javascript. After being authenticated, the server sends me a token, which I have to append to each ajax requests I make to the server so that the server knows that I am eligible to ask for information. However, my application is not single-page application which means that after clicking on links, the page gets reloaded and I need to re-authenticate.

Is it possible to safely save the token and access it again after page reload?

The options I have thought of are saving it in cookie or in local/session storage, however, I'm not sure whether these are safe enough.

Do you know of any other, safer way to save the token on client side? Or perhaps do you know whether the options I mentioned are safe enough to store such a sensitive information?

Thanks for any suggestion.

Edit: I can't change the server-side application, the token must be stored on the client.

leopik
  • 2,323
  • 2
  • 17
  • 29

2 Answers2

1

Local Storage: is not the safer way to keep confidential/sensitive information.

Cookies: Well there is a lot written about stealing cookies and preventing Cross Site Scripting.

Session Storage: is safe but the question is which technology you are using on the server side. Is it NodeJS or PHP or anything else??

I have used NodeJS and PHP both for authentication.

With Express.js you can maintain a session for each user and check/authenticate on every request/page load and validate whether it is a valid user/request or not. And it also provides an active session check i.e, If a user is inactive for sometimes the session will be automatically destroyed/cleared/cleaned.

In addition with passport.js you can also implement this but it depends on your requirements.

Check this LINK

Community
  • 1
  • 1
Varun Chakervarti
  • 1,012
  • 8
  • 24
  • On the server side it is a Microsoft-written application and I don't have access to the binaries, so changing the server side is not an option. I have to store the token on the client side. – leopik Dec 05 '14 at 10:02
  • There is one another option which I have used but I don't know whether it is safer or not. I have created a `` element and appended this element anywhere in the document. Now I can access/modify/update accordingly. – Varun Chakervarti Dec 05 '14 at 18:12
0

When you think the token is confidential then you should not think about saving it in client side.

Even if you are in a situation where you want to save such a confidential info in client side then the same what you mentioned is correct(Cookie,Local/session storage). Encrypt your token before save.

Local storage: It is saving data under your domain. No other domain don't have access local storage information of your information.

Please correct me if I am wrong, accept it if I am correct.

Ilaiya
  • 21
  • 5