Session storage security

Question

I'm using a parse backend for my web app which uses the JavaScript API. I've currently got a log in page which redirects to another web page which allows data that's stored in the backend to be viewed.

Once I redirect to the page after logging in though I'm no longer logged in, I've come up with what looks like a solution but I'm not quite sure.

I've considered simply using a login page, storing the username and password in sessionStorage and then once the new page loads, basically logging back in with those credentials. This seems somewhat cumbersome though and I'm worried about the security implications involved with storing this kind of information in session storage.

I've read of people using session tokens though I'm only new to web development and I'm unsure of how to go about this or if it's the right way to go.

Answer 1

It is never secure to save a username and password in the sessionstorage. The sessionStorage can be read by someone with access to the device and use this for other purposes. Parse has it's own guidelines for using it's API where they have long thought about the security of their API.

Because you are new to web development in general, I would suggest you will read the security guidelines from parse and how to use parse in Javascript.

When a user logs in the Parse.User.current() is set. This is a cache object and can be saved to local storage. This does not contain the username and password of a user but instead a sessionToken and probably other information. This cached object need to be used when communicating with the Parse API. Please read this part about the current user to get a better understanding about how this works.