Advertisement
Advertisement
β‘ Community Insights
Discussion Sentiment
58% Positive
Analyzed from 549 words in the discussion.
Trending Topics
#cookies#localstorage#cookie#don#authentication#example#bad#still#web#auth
Discussion Sentiment
Analyzed from 549 words in the discussion.
Trending Topics
Discussion (12 Comments)Read Original on HackerNews
Much more importantly however, is that the cookie standards are a mess! The complexity of cookie default behaviour, their flags, scopes, differences in their SOP (cookies ignore ports for example, so https://example.com:443 and https://example.com:8443 share their cookies) are huge. Research papers have been written in this. And don't even get started on differentials between browsing engines.
This huge complexity of cookies opens up a whole class of authentication attacks where bad (or just weirdly) configured cookies can be stolen cross origin.
localStorage on the other hand is practically impossible to get wrong.
But they're still the superior choice for authN on the web, because if you want to, you CAN configure cookies to be secure. Yes, attackers can ride the session, but it's dependent on the user being on the tab and you being able to consistently execute JS. Client-side compromise (ie attacker controls the entire browser) is not feasible to defend against anyway.
The main issue with JWT+localStorage is you can actually execute one-off JS, exfiltrate the token and come back later. I've _never_ seen a well-executed JWT+localStorage implementation in 10 or so years, because teams inevitably realise they can't reliably revoke sessions (another advantage of cookies) and then start giving out long-lived access tokens but adding them to the database. Or some variation of that.
As an old guy reading this I had a lot of wtf moments during the setup. Then I laughed pretty hard when we eventually got to this line. Like there's a reason we invented cookies and all mature web frameworks use them for auth.
Cookie stealers, issues with third-party cookies and tracking... it's not like the past was a paradise, in fact, quite the opposite. Hell I 'member times when we had to append ?PHPSESSID=... to URLs. Cookies were a stopgap...
This is what aspnet core does by default if you enable cookie-based authentication. Gives you the best of both worlds.
Is there someone in another part of the world that would like hacking you only if youβre not using httpOnly cookies, happy to know that you used localstorage?
I really want this era of AI generated writing that reads so poorly to end. Or at least society should be ashamed of publishing this content.