Here is a question I sent to Mosh Hamidani and Max SwartzMuller about storing authentication tokens on local storage

Hi,

My name is Mody Tal my email is: tamord@gmail.com and I have purchased and watched the video of the course: Angular - The Complete Guide (2020 Edition)

Well, Just a small question, In lecture 303: “Auto Login” You have mentioned that the web API (for authentication) which is firebase on our case,

they should return a token with info on the authenticated user, and also you have mentioned that the JWT token should be stored on local storage

however, when I googled: “put authentication in local storage” the question: Is it safe to store the auth token in local storage?

Because, here is an answer I got from google about storing authentication info on local storage:

"A JWT needs to be stored in a safe place inside the user’s browser. If you store it inside localStorage, it’s accessible by any script inside your page (which is as bad as it sounds, as an XSS attack can let an external attacker get access to the token). Don’t store it in local storage (or session storage)

So, the question is where should I store the token? Because both local storage and cookies are visible to the user (as you have mentioned they can inspect the local storage or cookies from application tab in the google chrome inspectors and they can even modify the local storage I think

I hope you can answer my question as I want to make authentication as secure as possible.

Thanks Mody Tal,

tamord@gmail.com

Hey there!

Is this a course that was developed by Auth0?

hi,

the course is called: Angular - The Complete Guide (2020 Edition)
and is hosted in Udemy. I have purchased the course.

So, I Wanted to know where to store the authentication token?

because, when I googled: “put authentication in local storage”

I got the answer:
" A JWT needs to be stored in a safe place inside the user’s browser. If you store it inside localStorage , it’s accessible by any script inside your page (which is as bad as it sounds, as an XSS attack can let an external attacker get access to the token ). Don’t store it in local storage"

I don’t know who wrote this tip however since google put this snippet on the 1st result
I afraid it’s correct and

really wanted to know where to put the auth token to make the user be able to log in
and then leave and return to the website and stay connected

Thanks

I guess this question should be addressed by course authors as we as Auth0 employees have no information about the guidance and content presented in the course and thus we can’t suggest anything cause we don’t know if it will work with what is shown in there.

Every course on Udemy has its discussion section so I guess it will be good to look for information from authors there.

ok, so I will go to the udemy course and post the question

1 Like

Perfect thanks a lot!

1 Like

I reached AUTO0 website from JWT website


I clicked on Ask from the menu
and this brought me to here
that’s why I posted the question here
Mody

Gotchya! But as I’ve said the course content wasn’t developed by Auth0 and I have no idea what’s the guidance in that course so I don’t want to recommend anything cause I cannot prove that it will be working with what is presented in the course content or is it safe

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.