Closed turbolego closed 3 years ago
jeroenheijmans
commented
3 years ago Your token "expires" effectively when either it expires based on expiration-time, or when the storage mechanism purges it.
Since sessionStorage is typically shorter-lived (doesn't survive a browser restart, normally) and less broad available (scoped to your browser tab, whereas localStorage is available to your app in all tabs), there will be less attack vectors.
turbolego
commented
3 years ago Your token "expires" effectively when either it expires based on expiration-time, or when the storage mechanism purges it.
Since sessionStorage is typically shorter-lived (doesn't survive a browser restart, normally) and less broad available (scoped to your browser tab, whereas localStorage is available to your app in all tabs), there will be less attack vectors.
Thank you @jeroenheijmans ! 😄 So tokens stored in either sessionStorage or localStorage can be attacked using the same methods? Is there attack-methods that only work for localStorage that won't work for sessionStorage?
I know that there's a difference between localStorage and sessionStorage when it comes to persistence, but is there a security difference between localStorage and sessionStorage if the tokens have the same expiration-time?
I was able to switch from sessionStorage to localStorage by just flipping every instance of "sessionStorage" to "localStorage" and set this is in auth-service file: "userStore: new Oidc.WebStorageStateStore({store: localStorage})".
But is there any difference in terms of security?
Thanks! 😄