Amplify-js: Use secure cookies as default storage method for Auth

Created on 29 Nov 2018  路  12Comments  路  Source: aws-amplify/amplify-js

I realize this is a breaking change, so maybe reserve this for a major version. Secure cookies are a more secure option than using localStorage.

Auth feature-request
Source
picture ffxsam

Most helpful comment

any update on this one?

picture cliffordh on 19 Feb 2019
👍5

All 12 comments

Hi @ffxsam

Thanks for the suggestion/feature-request!

manueliglesias picture manueliglesias on 29 Nov 2018

More info:
https://auth0.com/docs/security/store-tokens

Don't store tokens in local storage
Browser local storage (or session storage) is not secure. Any data stored there may be vulnerable to cross-site scripting. If an attacker steals a token, they can gain access to and make requests to your API. Treat tokens like credit card numbers or passwords: don鈥檛 store them in local storage.

ffxsam picture ffxsam on 29 Nov 2018
👍4

@manueliglesias Any update on this one?

cliffordh picture cliffordh on 25 Jan 2019

any update on this one?

cliffordh picture cliffordh on 19 Feb 2019
👍5

bump -- just adding my +1 for this feature request.

aggied picture aggied on 7 Mar 2019

I was testing auth.signIn and I noticed it stores everything in localstorage identityid/cognitoidp/accesstoken/id token/refresh token. Why is this? This is not safe at all right or am i mistaken?

max77p picture max77p on 2 Apr 2019

Correct. But you can override it: https://aws-amplify.github.io/docs/js/authentication#manual-setup
(see cookieStorage property)

ffxsam picture ffxsam on 2 Apr 2019
👍1

Thanks @ffxsam. I have a followup to this: If i open 3 tabs, sign in using three different users, then signout/close one tab. What do i need to do with amplify to sign that user out only and keep the remaining three users signed in?

In addition, if I sign in to the same user three times in three different tabs, does signing out in one tab invalidate the other two tabs?

max77p picture max77p on 2 Apr 2019

What you're asking for is not possible. One tab or four, they're all using the same shared cookies and local storage if it's the same website. Typically you would use a different browser or an incognito/private tab to log in as a different user in a different window.

ffxsam picture ffxsam on 2 Apr 2019

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] picture stale[bot] on 15 Jun 2019

Closing as secure cookies can be set with a custom storage adapter:

https://docs.amplify.aws/lib/auth/manageusers/q/platform/js#managing-security-tokens

(localStorage is still the default)

ericclemmons picture ericclemmons on 17 Oct 2020

Hello, thank you for aws-amplify. Our dev team loves it. Why is local storage still the default for aws-amplify? Is it just out of convenience? I see we can switch over to cookies, thanks for the links (above) but still wondering why this hasn't been patched, or if it is even necessary.

Thanks and have a great day.

EvanErickson picture EvanErickson on 8 Jan 2021
Was this page helpful?
0 / 5 - 0 ratings

Related issues

TheRealRed7 picture TheRealRed7  路  3Comments
oste picture oste  路  3Comments
rayhaanq picture rayhaanq  路  3Comments
rygo6 picture rygo6  路  3Comments
romainquellec picture romainquellec  路  3Comments