I'm using the local storage to store data(values, menu etc. ), is it good practice in programing?
Local storage is inherently no more secure than using cookies. They are very similar to cookies, but can only be read client-side, whereas Cookies are sent to the server when visiting a site that has them. This could, in some systems, make Local Storage less secure, as it can only be read by the client side JS code, which can be modified.
There is no security on either Cookies or Local Storage, requiring you to make your own security if you want it. They are both good practice to use in certain situations, mainly when security is not a priority and you want to for example, save settings or count visits to a site.
FYI: Local Storage is not a Chrome-only feature. The Chrome Storage API is a Chrome only storage mechanism used for Chrome and Chromium extensions. It works the same as local storage, but with a few differences. Be sure not to be confused by the two.
Related
I was intending to release a website to the public that stored sensitive information on the client side using Local Storage such as API keys. Variables stored in Local Storage are used in my PHP scripts.
I was thinking, since it had an SSL certificate, this would suffice for storing sensitive information such as an API key and secret.
My website will not have ads. The website also has a MySQL database.
I am going to configure a general user for reading data in since a user does not need write privileges (it is a read-only site). The problem is if they went on a malicious website later on, they could extract these Local Storage keys (maybe with a script) and potentially hack my consumer.
The names are very generic on my website when creating and using the keys so it would be hard to identify the origin of the keys or what their purpose is.
Is this wrong to do this to my consumer?
Yes, it is wrong. It means a huge security leak. Imagine the case when any malicious Javascript is executed in the browser for any reason. It will be able to read the content of localStorage and send it to the hacker.
This could be caused by a website problem, such as possibility of XSS injection, but a browser extension with malicious content can achieve the same. While XSS injection can be protected against, if the developers of the site are careful, what browser extensions the users will install is beyond your control. Avoid this approach. Store sensitive data safely on the server.
Is it possible to make localStorage and/or IndexedDB offline data permanent?
I am planning to make a completely offline HTML5 app and want the data to never get deleted, unless and otherwise the user knowingly does so.
I do not want the data to be deleted even after the app is closed, system is shutdown or something like CCleaner is run.
What you are looking is persistent storage as defined in Quota Management API. Currently none of the browser implemented it.
However IndexedDB data, even thought temporary storage, are persist over application life cycle.
I am building a chrome extension that needs to persist user sensible data.
I know that you can use HTML5 but it is vulnerable to XSS, and possibly other form of attacks. I recently found out about chrome.storage but the docs say:
Confidential user information should not be stored! The storage area
isn't encrypted.
Now my question is:
Is there a secure way to store sensitive user data (i.e. a private key) in the browser?
The default content security policy pretty much protects you from XSS assuming you don't do anything really stupid. You could use some sort of a library to to encrypt local data and make users enter a passphrase to decrypt the data. The attack vectors at this point are more around malware on the computer and other people with physical access. Chrome extensions themselves are well protected from other sites.
Ultimately though, anything installed on the computer or having access to the computer has the potential to access the private info regardless of what you do. My recommendation would be make sure users are aware of how sensitive the data being stored is and that they need to maintain proper security precautions around getting access to the computer.
I have a few questions regarding the concept of HTML5 storage. I went through the w3c specification, books and tutorials on the same, but still I am a bit unclear about certain concepts:
Assume that I access Website A. Some JavaScript runs in my browser that sets a key value pair, say ('username','deepak'). Then I access Website B which also adds a key,value pair in the localstorage as ('username','mahalingam').
How will they both be differentiated?
Will Website B override the value set by website A in my localstorage?
How can we ensure that a website would not erase all of my localstorage?
Local Storage Privacy
Website A and Website B would have their own local storage. Usually you would have to store certain information in a server database and sync it to the local storage.
I would use the local storage as a cache to get data once and update it at a certain interval depending on when I would want to invalidate the cache. For instance, you could sync with the server when the user A would log out and user B would want to login.
Have a look at the Privacy section in the HTML5 spec for Web Storage.
More information information and resources here: HTML5 Rocks.
Testing
I would suggest the use of a local server setup such as Linux/Mac/Windows, Apache, MySQL, PHP stack (LAMP/MAMP/WAMP) to test on localhost (127.0.0.1).
Most browsers will limit you to 5 MB per domain for every window and tab because of the HTML5 spec recommendation.
I haven't tried this, but you could perhaps have a look at changing the port number of the localhost in Apache's httpd.conf (to do so, find Listen and change the port associated to it) and see if this will do the trick. Basically, you run each test under a different port number to have the whole storage limit for each test.
An alternative would be to create a Chrome extension. You can read more information about this here:
Managing HTML5 Offline Storage
Manifest files
What is the difference between these concepts, and when should I use one in particular? Does this listing also contain different names for the same general concept?
HTML5 local storage
HTML5 session storage
HTML5 web storage
HTML5 web database
Cookies
HTML5 web storage is a generic umbrella term for the new client-side data storage options.
Local Storage is persistent and scoped to the domain. At the moment two flavors are usually mentioned:
'default': stores things in name/value pairs
Web SQL (aka Web Database): uses an SQL database
Session Storage is non persistent and scoped only to the current window.
Cookies are the old school way of doing all of the above. Stores name/value pairs per domain.
I would like to add more information:
cookies are able to store only 4k of data
whereas localStorage is able to store 5mb of data (Depending on browsers)
Websites will save cookies in browsers and next time browser will send that cookie along with http request to be used server-side. Cookies are meant for being used with the server.
With localStorage, you can store more data, but it is restricted to the client by default.
Session Storage:Session storage is introduced where the user is carrying out a single transaction, but could be carrying out multiple transactions in different windows at the same time.Session is terminated once we close the window.
Local Storage:Local storage is specific to domain and is introduced to span across multiple windows.There is no time limit as in the case of Cookies,and can store upto 5MB storage such as Users MailBox etc....
AFAIC:
Cookies are 4k per cookie, and local storage is 5k per domain.
Cookies existance time limits and sorage is just client-side protocol- and domain-specific bin for data.
Another big thing to consider if your users are located in Europe, is that Cookies are illegal in Europe. https://www.sitepoint.com/europe-website-cookie-privacy-law/