1

I am developing a login feature for an angular 5 web app. In the backend (.net core 2.0 ) I sent a token after user input correct username and password but in the client (angular 5) I wonder what the concept should I apply? what plugins should I use? should I store the token in localStorage ? does anyone have any idea? many thanks!

every Bit
  • 399
  • 1
  • 4
  • 18
  • Sure, you should store the token into localStorage. That is the best way I think. Why do you wonder about that? – Khai Nguyen Nov 15 '18 at 04:00
  • @KhaiNguyen I have some worry about security if we store toke in localStorage – every Bit Nov 15 '18 at 04:19
  • 1
    I've voted to close this question because of: **primarily opinion-based** - *Many good questions generate some degree of opinion based on expert experience, but answers to this question will tend to be almost entirely based on opinions, rather than facts, references, or specific expertise.* – Tân Nov 15 '18 at 04:53
  • Also, user can clear all your items in localStorage easily. Check this: [window.localStorage](http://developer.mozilla.org/en-US/docs/Web/API/Window/localStorage) – Tân Nov 15 '18 at 04:55

1 Answers1

2

You should firstly know the Pros/Cons of storing token in Web Storage (localStorage or sessionStorage) or in Cookie . Consider the security :

Web Storage (localStorage/sessionStorage) is accessible through JavaScript on the same domain. This means that any JavaScript running on your site will have access to web storage, and because of this can be vulnerable to cross-site scripting (XSS) attacks .

Cookies, when used with the HttpOnly cookie flag, are not accessible through JavaScript, and are immune to XSS. You can also set the Secure cookie flag to guarantee the cookie is only sent over HTTPS. However cookies are vulnerable to cross-site request forgery (CSRF) attacks .

You can refer to this thread which provides detail discussion about that .

Nan Yu
  • 26,101
  • 9
  • 68
  • 148