The only way to get the localstorage is if you get malicious code on your own page. The localstorage is specific for your site - it even is different if you have http and https for the same site.
The way it could be exploited would be if you include js on your site (some third party thing) that scrapes the localstorage variables. Regards, Andréas Den mån 17 dec. 2018 kl 11:24 skrev cyril moreau <cyril.more...@gmail.com>: > Hi, > > I thought also about storing the token in the local storage, but according > to my research it is not safe because it is open to xss attack and the > token will be accessible from any browser's tab using javascript. > Is localstorage widely used to store the token even if it is not safe ? > > That is why i thought to use cookies and csrf protection for the web-based > app. > If you have a safe solution with tokens only, it will take it. > > Thank you > Cyril > > > Le lundi 17 décembre 2018 09:53:03 UTC+1, Andréas Kühne a écrit : >> >> Hi, >> >> I wouldn't use session based backends at all - because then you will need >> to do session based login instead of using the token. This is not a >> standard way of doing rest requests at least. >> >> What I would do is just save the token in localstorage on the client. >> This is the way we do it for handling long based requests. Also then you >> will need to be able to refresh the token when the token expires (which you >> should do anyway). >> >> This would solve all of your problems (including mobile app - you just >> store the token in the app). >> >> You can see this approach here: >> >> https://medium.com/@rajaraodv/securing-react-redux-apps-with-jwt-tokens-fcfe81356ea0 >> >> Check under the header "Storing JWT token". >> >> It doesn't need to be a JWT token - the principal is that same regardless >> of how you generate the token. >> >> Regards, >> >> Andréas >> >> >> Den sön 16 dec. 2018 kl 20:18 skrev cyril moreau <cyril....@gmail.com>: >> >>> Hi, >>> >>> I am looking for information/help about storing my token in a cookie in >>> a safe way. >>> >>> Backend : Django rest framework - Frontend Reacjs >>> >>> I am using django-rest-framework-social-oauth2 >>> <https://github.com/RealmTeam/django-rest-framework-social-oauth2> to >>> get a token (from different provider). and make request to the API (it >>> works) >>> >>> But everytime i refresh the page the user get logged out as the reactjs >>> does not keep the token in a cookie and the user has to login again. >>> >>> i would like to keep it in a cookie to let the user make requests even >>> if he closes the browser. >>> >>> I also want to secure it with csrf protection. >>> >>> I have spent a lot of time looking for a solution and today i have found >>> django.contrib.sessions.backends.signed_cookies >>> or django.contrib.sessions.backends.db >>> >>> The one that interest me is the >>> django.contrib.sessions.backends.signed_cookies >>> >>> 1) I would like to know if a middleware exists to generate the signed >>> cookie or if i have to create it? >>> >> 2) This signed cookie will it be used by the sessionAuthentication >>> backend or should I develop a piece of code that will get the token from >>> the signed cookie -> authenticate the token -> allow the user to execute >>> his request ? >>> >>> 3) where the signed cookie data is stored (database?) and how can i get >>> them? >>> >>> 4) Is it OK to put the token in the cookie? >>> >>> >>> >>> I would like to implement an API that can authenticate web browser or >>> mobile app >>> >>> >>> 5) I want to be able to use the token to authenticate from the browser >>> to my website (cookie to avoid that the user has to login again and again) >>> >>> 6) I want to use this api for a mobile app as well? so creating a >>> cookie, does it create a conflict during the mobile app authentication? >>> >>> >>> Thank you for your help! >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Django users" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to django-users...@googlegroups.com. >>> To post to this group, send email to django...@googlegroups.com. >>> Visit this group at https://groups.google.com/group/django-users. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/django-users/f8f0f7e7-0556-4277-95ea-347552277ca5%40googlegroups.com >>> <https://groups.google.com/d/msgid/django-users/f8f0f7e7-0556-4277-95ea-347552277ca5%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> For more options, visit https://groups.google.com/d/optout. >>> >> -- > You received this message because you are subscribed to the Google Groups > "Django users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-users+unsubscr...@googlegroups.com. > To post to this group, send email to django-users@googlegroups.com. > Visit this group at https://groups.google.com/group/django-users. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-users/2bdb1ed4-a857-4050-9061-56fdd6af6a14%40googlegroups.com > <https://groups.google.com/d/msgid/django-users/2bdb1ed4-a857-4050-9061-56fdd6af6a14%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at https://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAK4qSCetw1H2fj57UUPY6TBU%2BSH_3gY%2BWpr9gQm%3DwkBx8ioC-A%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
