Feature request: Store session cookies in secure storage and not in localstorage #194
Comments
|
Hi Marc, I understand your concerns about security. I also think that the risk is reduced in our special case, because it's running in a sand-boxed app which can't be inspected with developer tools when running in production mode (at least on a device which is not rooted / jail-broken). But it still feels wrong, so I'll put this on the road map. 👍 |
|
Hi Marc, I've done some research for this feature request. The problem with secure storage on devices is that they all use the device pin, passphrase or lock code to encrypt data. You can't use the secure storage without having a lock code defined. Therefore I don't see a better option to save the data other than in local storage. |
|
Thanks for getting back with this research.
Indeed. We work-around this limitation in our app by only using secure storage when it's available. On other devices the "normal" storage is used. We follow the practice that if the user doesn't have a pin setup he probably doesn't care so much about security. I guess malicious JS can still be injected in a WebView, even though it's sandboxed? Especially if a remote http website (without https) is being loaded. My counter proposal would be to take advantage of the secure storage whenever available and if it's not possible to fallback to local storage / native "normal" storage. |
|
another side effect of not storing cookies in native storage (secure or "normal") is that when I updated ionic web view the URL scheme changed from If this plugin would keep track of the values in the native storage then it would be unaffected from webview changes. |
|
Hi, I'm currently adding the following interface to /**
* Provides a custom cookie storage, to override the default localStorage
* @param {Object} storageImpl
* @param {(name: string, value: string) => void} storageImpl.setItem
* @param {(name: string) => string} storageImpl.getItem
* @param {(name: string) => void} storageImpl.removeItem
*/
function setCookieStorageImpl(storageImpl)In my case, I can use my own implementation which encrypts and stores data in the native storage, but anyone could use it to store cookies in the native storage for example. |
|
@gaspachoandalus Yes, this sounds good actually. But your JSDoc comments are confusing me a bit. You are documenting four params, but it's actually only one parameter in the function signature. I'd propose, just open a PR and we can discuss it there. |
I would suggest the |
|
@Lindsor yes, it would be better to have an asynchronous implementation. I have not checked how many changes would be required though. My real storage implementation:
|
The local storage is very unsecure. Thus we shouldn't store cookies (or at least session cookies) in it because it's open for potential attackers.
I understand that risk of an attack is reduced since we are talking about a WebView inside a native app. But still when some developer navigates within the WebView to a different website there might be a scenario where the local storage can get exploited.
The text was updated successfully, but these errors were encountered: