Hacker News new | ask | show | jobs
by brimtown 2397 days ago
> Q: If I have to include this token with every request, where should I store it?

> A: Typically, you would store it in the localStorage, after the user logs in and gets the token.

This seems to contradict Auth0's guidance to not store tokens in localStorage since it's vulnerable to XSS: https://auth0.com/docs/security/store-tokens#don-t-store-tok...
2 comments
thdrdt 2397 days ago
Yes, but when the server does not send the token as cookie the only option is to store it with JavaScript. And yes, that also means (any) JavaScript can access the token.
link
rumanator 2397 days ago
Thanks for the insight! If anyone cares to provide any clue about best practices and how to handle token storage, you are more than welcomed to provide any insight.
link
KukicAdnan 2397 days ago
Here you go: https://auth0.com/docs/security/store-tokens

Gives various suggestions depending on your use case.

link
moogly 2397 days ago
I've been looking at this for months without getting a clear, noncontroversial answer. Even with this documentation, it is still unclear what to do if you have a SPA on another host than your backend (so you can't use cookies), and you do not want to use server sessions. Using `oidc-client` from the frontend could work, but that bundle size[0] is absolutely insane.

[0]: https://bundlephobia.com/result?p=oidc-client@1.9.1

link