timber-they
commented
1 month ago @zven there's still input needed for this one.
Open zven opened 1 month ago
timber-they
commented
1 month ago @zven there's still input needed for this one.
Currently we store all our access tokens (be it "normal" ones we issue or the OIDC ones) in the local / session storage (by default in the local storage). The local storage is not recommended for this use, as it stores the token for ever (until it's deleted) and is not considered secure (it's vulnerable to XSS attacks). The session storage seems to be more secure but still somewhat vulnerable to XSS attacks.
A third option would be to store tokens in cookies. These are not secure by default but have parameters to make them more secure. However, they are vulnerable to CSRF attacks.
The fourth option (which is also recommended in the first article) is to not store the token in the browser at all, but rather in the backend. This would mean that the token is stored in the Django session. I don't entirely understand how this makes it more secure (since the session identifier is still somehow stored in the browser), but maybe it's worth checking it out.