Hacking authentication tokens

Question

5.00/5 (1 vote)

See more:

Hi,

Lets say I have implemented Token based Authentication and what I do is that I store the token in LocalStorage of WebBrowser.

Everything is fine but I have not taken care of the hack.
I mean Since the token is in the browser storage for lets say 1 min but hackers can still hack it in 1 min.

How to face that ? or any new approach to cover it up ?

What I have tried:

Tried Googling but didnt find anything specific

Posted 19-Dec-18 3:03am

vaibhav1800

Updated 20-Dec-18 1:59am

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Nathan Minier · Answer 1 · 2018-12-20T01:59:00

This depends a bit on the level of control that you have over what is in the javascript included on your page. If all you are ever going to have is your own JS and you don't use any third-party frameworks or libraries, then the local store is fine.

If you think you might ever use an external library, though, you might need another method. An interesting one I've seen revolves around the use of httpOnly, digitally-signed cookies with embedded session tokens.

I found a very comprehensive write up about the problem and solutions here:
Please Stop Using Local Storage - DEV Community[^]