Open Hari-sankoju opened 1 month ago
React-auth-kit
doesn't support sessionStorage
for token storage due to its specific implementation and design choices.
For storing tokens in a more secure manner, consider using IndexedDB to encrypt tokens before storing them. This way, even if someone accesses the storage, they won't be able to read the token without the decryption key.
If you want to protect tokens stored in cookies, you can:
HttpOnly
flag to prevent JavaScript access.Secure
flag to ensure cookies are only sent over HTTPS.SameSite
attribute to prevent cross-site requestscan u provide a sample piece of code on how to use indexedDB to store instead of localstorage and how we can tell react-auth-kit to look in that storage?
If there is any option to encrypt token before storing in localstorage so that external user cannot use that token anywhere. is there any way for that?
For using IndexedDB look here : https://developer.mozilla.org/en-US/docs/Web/API/IndexedDB_API/Using_IndexedDB
You can use crypto-js for encryption, although is currently discontinued : https://github.com/brix/crypto-js
I believe Cookies are not safe and vulnerable. Internal Storage is also available on browser forever if user wont log out and just close the browser. So My question is why sessionStorage is not in scope for token storage in react-auth-kit.
I am able to copy the token from developer tools -> application tab , either from cookies or from internal storage. How can we protect the cookies so that user cannot see or copy the token? Is there any way to store the token in internal storage but encrypted?