Thanks for your answer Eric! We are using https and token does not hold any significant data. We were discussing obfuscation (or encryption) before storing token into session storage but that would not be any better as intruder could use this encrypted token as is and present himself as valid user anyway.
JWT was considered and it looks good but we don't have time to implement it at the moment. Regards, Darko On Thursday, October 16, 2014 8:44:33 PM UTC+2, Eric Eslinger wrote: > > If the attacker has access to the user's computer, you're kind of in > trouble no matter what. You could obfuscate the token, but clients are not > to be trusted. The best thing to do is assume that tokens are held only by > one client (and make sure you are only sending the token over HTTPS, and > not in the clear in HTTP). > > I am not sure how you generate the token, but the other important thing is > to not keep anything important in the token itself (unless you use > something neat like JWT signed state tokens); you don't want a determined > user able to escalate or change privilege sets by manipulating their token. > > E > > On Thu, Oct 16, 2014 at 11:09 AM, Darko Simic <[email protected] > <javascript:>> wrote: > >> Hi, >> >> I made Angular application and I'm using token authentication. >> At the moment, I'm storing this token in browser's session storage (using >> LocalStorageModule) and I'm sending it in every request. >> My concern is that anybody can see exact token value (if they have access >> to browser session storage of course) and maybe abuse it. >> >> Is this real threat? Is there any workaround that is safer? >> >> Thanks, >> Darko >> >> -- >> You received this message because you are subscribed to the Google Groups >> "AngularJS" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To post to this group, send email to [email protected] >> <javascript:>. >> Visit this group at http://groups.google.com/group/angular. >> For more options, visit https://groups.google.com/d/optout. >> > > -- You received this message because you are subscribed to the Google Groups "AngularJS" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/angular. For more options, visit https://groups.google.com/d/optout.
