jeffroush + authentication   17

security - SPA best practices for authentication and session management - Stack Overflow

One thing you appear to overlook: Cookies are XSS safe when marked httpOnly, and can be locked down further with secure and samesite. And cookie handling has been around much longer === more battle hardened. Relying on JS and local storage to handle token security is a fools game. – Martijn Pieters♦ Jul 22
august 2018 by jeffroush
Your API-Centric Web App Is Probably Not Safe Against XSS and CSRF
The bottomline is: session storage (and local storage) isn’t safe. Any serious penetration test marks usage of web storage for authentication token as a serious vulnerability. Many banking and insurance organizations forbid web storage for this reason.
security  authentication 
august 2018 by jeffroush

Copy this bookmark: