I'm wondering how safe it would be to use html5 LocalStorage in a Phonegap app to store a user session.
Ideally I would store the user id + a random string to verify his identity on the database, much like a typical 'remember me' cookie.
Is this a safe practice? Anything I might be overlooking when it comes to storing data on Phonegap apps? Maybe something outside of LocalStorage?
Data saved in localStorage is not encrypted so any app/process that has access to that memory could read the value, similar to storing sensitive data in a cookie.
Recommend that instead of saving the userId in localStorage, save a non-identifiable session key. Or hash the userId and save that value instead (http://en.wikipedia.org/wiki/Cryptographic_hash_function).
Related
I am trying to redirect my user from a html page to a jsp page which has been deployed on tomcat/webapps using .war file.
While doing so, I am also sending the session information of the user as an hidden parameter via POST method.
With the help of burpsuite tool(security testing tool) one can easily manipulate the cookie and change the username of the user logged in. How will I be able to block such kind of cookie manipulation?
You cannot control/prevent what the browser/client is sending, so do not consider the data received as fact/true. Your application shouldn't just look at the username and say "oh, it's the admin user, I show the whole admin area".
To prevent tampering the data originated from the server or at least detect changes, you use encryption or digital signatures. With encrypted data, it is not possible to change the data. You don't know how to decrypt the data and encrypt the changed data correctly since you don't have the encryption key to do so. With signed data you can still read the data but the signature makes sure that you can detect, if the data has been changed.
In your case, you can use a JWT instead of just the username. The JWT contains a digital signature which is used to check if the data has been changed. Your "testing team" can change the data but your server can see immediately that it has been changed and reject the received (changed) information.
I am currently working on a website using React where I want to be able to have user login. Right now my strategy is to send form data to the server (express) on submit, and if the info matches a user in my DB, the server sends back a signed JWT with no sensitive information (just the username).
Once the client receives the JWT, I am adding it to localStorage as well as adding the decoded data of it to my redux store. I plan to have my redux store holding the currently logged in user.
I believe there may be a security issue in my site because currently I have it so when the user first arrives at the site, If there is a JWT, it is added to my axios headers and the decoded JWT is set to be the current user. The code looks like this:
if(localStorage.jwtToken) { // If token present, most likely a user is signed in
setAuthorizationToken(localStorage.jwtToken) // Set that token to head all api calls
store.dispatch(setCurrentUser(jwt.decode(localStorage.jwtToken))) // Set user in redux store
}
Currently I've found that if someone just goes into my localStorage, copies my JWT and adds it to their localStorage then bam, they are me. I'm unsure if this is really a security flaw because the only way I've recreated this myself is by physically copying the token from one browser to another. But in general this seems very unsafe that just taking my token steals my identity.
If anyone knows a way to make this more secure or if there is a better strategy, or at least tell me what I'm doing wrong that would be highly appreciated.
How can another person get your token? Give expire time to token needed. Maybe try different way for securing token, especially give more security in API side. When logging in, store log activity in database and create unique field to identificate it such ip address or user-agent, or maybe detect is that user have been hit login endpoint before or not.
I have a firebase data link located in app say, https://appname.firebaseio.com/.
There is no authentication to firebase links, all data is public.
We have a custom authentication system. But I am unable to add authentication via custom tokens to firebase because they expire after one hour and I can't force the user to login again.
But I secure the data by adding a sha1 hash for each user in data as label.
So data will link for user will be like:
https://appname.firebaseio.com/356a192b7913b04c54574d18c28d46e6395428ab.json
Is this a good method?
Can a user get all data from https://appname.firebaseio.com/, without providing my sha1 embedded url? Is there a way to get all the data or something that I should worry about?
No it no a good method.
All data from a public app can be retrieved by this using .json with app url.
https://appname.firebaseio.com/.json
If a website stores a value in local storage for a user on a machine, then later another user signs onto that machine and browses to the site, will the site see and overwrite the first user's value, or will local storage be empty because it's a different user?
(This is a similar question, but no one ever answers the first part: How to deal with localStorage for multiple users?)
To clarify: the OP is asking what happens with localStorage when two user profiles access the same site. The quick answer: they do not collide.
localStorage is stored separately for each browser user profile, just like cookies, passwords, stored form data, etc. If two people log into different accounts on a shared computer and both visit the same site, each person's localStorage data will be stored in a separate place.
However, this should not be used to store sensitive data! Also, when a user logs out the localStorage will still be there.
Here is a jsfiddle.
LocalStorage is a simple key-value store, in which the keys and values are strings. There is only one store per domain. This functionality is exposed through the globally available localStorage object. The same applies to sessionStorage.
There aren't user storage component provided by the localStorage system, but if you need you can manage in your html page using javascript
<script>
// Using localStorage
// store data
localStorage.lastName = "LastName";
localStorage.firstName = "FirstName";
localStorage.location = "Location";
// retrieve data
var lastName = localStorage.lastName;
var firstName = localStorage.firstName;
var location = localStorage.location;
</scipt>
this w3c resource and this from html5rocks could be useful
My app contain a security key which I need to send every time I call web service.
The code is not provided by the user, it's in the code and it won't be changed.
For now I store the key as a string in code.
I need to store it somewhere, the ideal solution would be .config file where I could store it in appSettings and I could also encode the file. I know that there is not such a file available in WP, but what is the WP alternative.
Do you know any way I can securely store the security key?
Thanks in advance.
Instead of securely storing the key with your xap, use your server to distribute key to the app.
When your app opens for the first time, get the key from server, encrypt it and store it in IsolatedStorageSettings. For subsequent app sessions, decrypt and use the same.
The current scenario is, all XAPs on store are encrypted and there is no way to get access to your dll without interop unlock. However, if you are not doing a Silverlight application and instead do a WinRT application, the APPX package is not encrypted and anyone can download it from the store.
If you are going with a Silverlight app, it is secure enough to put the key in IsolatedStorageSettings after encrypting. If it is a WinRT app, you can get the key from your server.