Firebase authentication persistence

Question

I understand there is a setPersistence method in Firebase to persist the user's session. However, I'm wondering what is the right way to use the data stored in sessionStorage. In my app, upon successfully signing in, I call the setPersistence method. Then in the main component, I have private routes in which I will either load the requested component or redirect, based on the authentication status, which I check in the sessionStorage.

I'm wondering however if that is secure. Isn't there a way for someone to easily hack this by manually adding a key/value ?

Should I add an extra check to ensure that the data in the sessionStorage is the data that is expected to be ? What is the right way to handle this ?

Answer 1

Do not use client side checks to enforce access control. Those are only superficial checks, regardless of the browser persistence used. The only safe way is to enforce the check is to do it server side by passing the ID token of the signed in user and validating it. Firebase Admin SDK provides API to help with that. Or if you are using Firebase security rules, that check is done automatically for you. If if a malicious user bypasses the client side check, the user data (stored on your server or via Firebase RTDB or Firestore) will remain inaccessible.

Basically, never rely on client side checks to verify the user authentication status.

Answer 2

You are right about the fact that it is not very secure. localStorage is meant to be a more advanced replacement (sort of) of cookies. It is mainly meant to act as quick and persistent store for basic key-value pairs to help with the general app/website functioning.

Ask yourself: Would you really want to store sensitive user information in cookies?

Your answer would be NO most probably. It's the same with localStorage. However, localStorage can only be accessed by the same origin that created it, which adds to some level of security. This tiny level of security can easily be bypassed by anyone with the sole intention of stealing important information. This can also be accessed easily by cross-site scripting, if not enough attention is paid to security (CORS, amongst others).

That being said, many apps today use it extensively to store login information like access tokens and other "partially-sensitive" information about the user. However, all this information is cross-verified by some server on the backend to check its authenticity.

If there is already a system in place (whether in-built in Firebase or custom built by you using cloud functions) to check how authentic the specific user retrieved from the localStorage is, and also that using that information alone nobody can access sensitive user info, then it is not a problem.

Isn't there a way for someone to easily hack this by manually adding a key/value ?

Yes, although not as simple as it might seem at first, it is indeed possible.

Should I add an extra check to ensure that the data in the sessionStorage is the data that is expected to be ? What is the right way to handle this ?

Depending on what kind of information it is and how much its authenticity matters to you, user or your app functioning, you may or may not want to put up a checking system in place.

Possible Solution: One possible solution is to use some sort of encryption to store the data to localStorage, like AES, with the keys for encryption (encryption keys) being stored securely on a server or only being known to the user.

IMPORTANT: Never ever store supremely important and private information like credit/debit card numbers, passwords etc. in localStorage, no matter how desperate you get or how "secure" you believe your app/site to be.