Security issue - Session keys, token are getting stored

nraboy / ng-cordova-oauth

AngularJS oauth library for use with Apache Cordova projects

https://www.thepolyglotdeveloper.com

MIT License

456 stars 199 forks source link

Security issue - Session keys, token are getting stored #314

Closed lakshaydulani closed 7 years ago

lakshaydulani commented 7 years ago

I have implemented Linkedin authentication in an Ionic app. The InfoSec has come up with this issue that session keys and other tokens are being stored in the app_webview folder.

screen shot 2017-01-04 at 12 33 38 pm

Please let me know if there is some configuration which I havnt done. Or any other approach.

Sorry for creating an issue. I checked for the same but didnt find issue for this.

Thanks!

nraboy commented 7 years ago

Please see the following line:

https://github.com/nraboy/ng-cordova-oauth/blob/master/src/oauth.linkedin.js#L30

Based on this line we have the following piece of code:

clearsessioncache=yes,clearcache=yes

That said, nothing should be cached after the InAppBrowser closes. You might raise an issue ticket with Apache Cordova if data is being stored. There is nothing in this library that would store anything as it is heavily dependent on the Apache Cordova InAppBrowser.

Best,

lakshaydulani commented 7 years ago

Thanks @nraboy Just to confirm, the code is already clearing the cache. No need for any configuration.