If the attacker has access to the user's computer, you're kind of in trouble no matter what. You could obfuscate the token, but clients are not to be trusted. The best thing to do is assume that tokens are held only by one client (and make sure you are only sending the token over HTTPS, and not in the clear in HTTP).
I am not sure how you generate the token, but the other important thing is to not keep anything important in the token itself (unless you use something neat like JWT signed state tokens); you don't want a determined user able to escalate or change privilege sets by manipulating their token. E On Thu, Oct 16, 2014 at 11:09 AM, Darko Simic <[email protected]> wrote: > Hi, > > I made Angular application and I'm using token authentication. > At the moment, I'm storing this token in browser's session storage (using > LocalStorageModule) and I'm sending it in every request. > My concern is that anybody can see exact token value (if they have access > to browser session storage of course) and maybe abuse it. > > Is this real threat? Is there any workaround that is safer? > > Thanks, > Darko > > -- > You received this message because you are subscribed to the Google Groups > "AngularJS" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/angular. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "AngularJS" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/angular. For more options, visit https://groups.google.com/d/optout.
