In the web world, cookies for session identifiers are much safer - since we can use HTTPOnly cookies to protect them from theft via XSS. The same mechanism is not possible for localStorage. Overall, security folk say •keep sensitive data out of localStorage• since one XSS and it's stolen. There is also a huge body of work underway to make secure cookies even more so.
I'm not sure how this translates to native apps. -- Jim Manico @Manicode > On Sep 8, 2016, at 3:02 AM, Adam Lewis <adam.le...@motorolasolutions.com> > wrote: > > Hi, > > The WG is currently putting together best practices for native apps. I would > like to better understand the best practices around ua-based-apps, especially > as it relates to token storage. I've read various blog posts about the > preference between storing tokens in cookies vs. Web Storage > (localStorage/sessionStorage). The current set of specs are rather silent on > the matter, as it is more of an implementation issue (but that is where most > mistakes are made). > > What is the WG's guidance on this? > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
