I guess the difference with tokens in local-storage vs not, is that an XSS attack could steal the tokens from local storage. But an XSS attack could also install a key logger and obtain username/password, or forge requests to your API, why should it even care about getting the tokens? Also the stolen tokens might be sent somewhere else and used from another IP address, but perhaps the back-end security would notice the change in IP address and shut that session down. So I do see your point about XSS being a bigger threat than local storage.
Local storage is vulnerable to malware running on a machine grabbing it from disc. Also shared computers. So there are possibly some other ways than XSS in which local storage opens up attacks.
At the moment, I am adding the ability to export the
LoggedIn state from my auth module, and to try and restore it, with a pair of functions like this:
saveState : Model -> Value
restore : Value -> Result String Model
The idea is that an application can take that
Value JSON (which will contain the tokens) and put it in local storage, and on page refresh or new tab, it can retrieve that JSON and attempt to go straight back into the
I still feel this is risky, but I think so long as I document the potential risks so that users can make an informed choice that should be ok?
I have another way I would like to try, which may be more secure…