Reputation: 1395
Password in sessionStorage
I have a single-page AngularJS app, and authenticate my website via websockets using no cookies. This means a refresh logs the user out. How bad is it to store the password on sessionStorage, so they can refresh during the session? (The username will be in localStorage, and I don't want the full login to persist between sessions).
Thanks!
EDIT:
What I'm more interested in is if there are there any actual security risks for storing in such a way. Is it any less secure than how Chrome stores passwords in plaintext, or how cookies are unencrypted?
Upvotes: 1
Views: 3049
Answers (3)
Reputation: 1718
What you want to do is... create some hash on your server, and save it on the localStorage.
Send this hash on each request, and the server should validate/handle it, and respond with the appropriate credentials.
But that is also 'not as secure as you may want it to be', so... you can change the hash every x minutes, or have it time out after X minutes of innactivity.
Never store plain text passwords, and never include your hashing algorithm on the client side.
Upvotes: 0
Reputation: 4960
I don't think you'd want to store the password. You could generate a session token and store that in the sessionStorage. Anyway, if you come to store the password itself, don't store it as plain text.
Upvotes: 0
Reputation: 156
Are you trying to avoid localstorage, or just cookies?
You could store a session ID in the session storage, and authenticate the user using that, under no circumstances would I store a users password cleartext though.
Upvotes: 1
Related Questions
- PasswordCredential does not store the data
- Save DOM Element in SessionStorage
- How to use sessionStorage for a webpage for a login user?
- sessionStorage registration
- sessionStorage not persisting between pages
- Session Storage Array Key
- sessionStorage isn't working as expected
- sessionStorage in Firefox
- SessionStorage seems to remain empty
- Password protect html page