Stashing user data in PhoneGap Browser

Question

I am making a local webapp that will have a login page.

I am using PhoneGap to make the app local and I wold like to stash some user data in a cookie or something like that.

So far I have been stashing the username and encrypted password in the cookie, is that very unsafe and what wold be a better and safer way to do this?

Have you considered using an alternative such as bearer tokens to skip the storage of sensitive user information in the first place? — gelliott181, Sep 15 '16 at 16:37
You can! I answered with what I hope are some good starting points for your consideration. — gelliott181, Sep 15 '16 at 19:07

score 0 · Accepted Answer · edited May 23 '17 at 12:19

To respond with better alternatives, I'd like to point you to Stormpath's Auth article and a related StackOverflow question. The Stormpath article has some big name options if you don't like writing this sort of code (I love it.) and the related question has a great answer with examples I'd have stolen otherwise.

I'd love to quote you some snippets to clear things up, but there's a zillion ways to handle implementations. The basic flow is this:

Client passes credentials to Server
Server Authenticates credentials
Server generates a token (UUID, random string, whatever)
Server replies with the requested info and token
Client sends token with the next request
Server matches token to authenticated session
Repeat 4-6 until the session is expired (Logout or timeout)

My own implementations usually continue differently to prevent some other security issues:

Server deprecates the token used by the request
Server generates a new token
Server replies with requested info and new token
Repeat steps 5-9 until the session is expired (Logout or timeout)

Thank you very mutch! @gelliott181 – Thedtxy Sep 15 '16 at 19:27 — Thedtxy, Sep 15 '16 at 19:27

Stashing user data in PhoneGap Browser

1 Answers1