Security in $sessionStorage

[juanwilde]

Hi! I'm using ngStorage in one of my Ionic Apps to store info and, after login, I store some variables to grant access to users by checking this values when the user calls some methods in the controllers.

My question is if there is a possibility for another user to know what this values are? I don't want to know how, but it is important for me to know if this $sessionStorage variables are like $_SESSION in PHP, for example, in order to keep this "security level" or change it to avoid "curious" users to get info from my API.

Thanks in advance :)

[ahmad-moussawi]

$sessionStorage is just a wrapper for the native window.sessionStorage, and there is no relation at all between your logged in session (that relies on cookies) and the browser session (based on window.sessionStorage), unless you have handled this by yourself, for example, after login you save the user info in the sessionStorage, and you clear it on logout.

off course you can't rely on this since sometimes the app crash before clearing the storage etc... so you have always to validate on the server side.

a case where multiple users can share the same sessionStorage, where multiple users use the same device, and the session is not cleared correctly after logging out the first one.

another case is when your app is vulnerable for XSS attack, so your session variable can be read by a script

[egilkh]

sessionStorage / localStorage is open to any device / user / browser that can read it. Most common browsers restricts it on a domain level. Meaning any JavaScript on a domain will have access to the same local-/session-Storage.

ngStorage does not impose any restrictions on this, it is a simple abstraction of these storages.

I would not consider that "secure" but it all depends on what you put in it and how you encrypt (or do not encrypt) those values.