Jim,
It's outdated a bit. Since SPA is a new normal now, it becomes extremely
difficult to enforce HTTPOnly flag, because JS needs access to secrets
including those stored in cookies. 5-10 years ago I would always enforce
HTTPOnly and now - I can't.
Thanks,Oleg.
From: Jim Manico <[email protected]>
To: Adam Lewis <[email protected]>
Cc: OAuth WG <[email protected]>
Sent: Thursday, September 8, 2016 10:45 AM
Subject: Re: [OAUTH-WG] best practices for implicit grant / token storage
In the web world, cookies for session identifiers are much safer - since we can
use HTTPOnly cookies to protect them from theft via XSS. The same mechanism is
not possible for localStorage. Overall, security folk say •keep sensitive data
out of localStorage• since one XSS and it's stolen. There is also a huge body
of work underway to make secure cookies even more so.
I'm not sure how this translates to native apps.
--Jim Manico@Manicode
On Sep 8, 2016, at 3:02 AM, Adam Lewis <[email protected]> wrote:
Hi,
The WG is currently putting together best practices for native apps. I would
like to better understand the best practices around ua-based-apps, especially
as it relates to token storage. I've read various blog posts about the
preference between storing tokens in cookies vs. Web Storage
(localStorage/sessionStorage). The current set of specs are rather silent on
the matter, as it is more of an implementation issue (but that is where most
mistakes are made).
What is the WG's guidance on this?
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
