Session ID validation - Security - Ionic/Angular

Question

I have been struggling for the past month on the solution to this.

When the user get's logged in, a session token is created in the DB and stored in the localStorage. This enables me to validate the user (by sneding the sessionID to the server and comparing its value to the value stored on the DB) every time a critical server call is made, but if I copy a particular session ID from the localStorage of any user I can paste on my localStorage and be validated too. This is a very big gap that I need to fill. What is the correct approach to validate the sessionID and avoid someone from copy and pasting it? How to I make the localStorage encoded to the user?

Notes: SessionID is created using JWT, session token is completely random and created after logging in, the value gets stored on a column of the user's column and saved on the localStorage

Answer 1

There is not anything you can do to completely protect against something like this. If an attacker has physical access to a machine to be able to copy and paste from local storage, there is nothing you can do to stop them.

There are a few things you can do to slightly mitigate it, but they are more window dressing than anything else, and they usually cause more problems than they solve. One of this is pinning the session to an IP address. If the session begins at one address, and then moves to another address, you can invalidate the session and force the user to re-authenticate. However, this causes many problems with legitimate users as their machine hops across networks. Mobile devices have exacerbated this, but even stationary machines have trouble keeping a steady IP address.