[Owasp-leaders] HTML5 local storage..

Christian Papathanasiou christian.papathanasiou at owasp.org
Thu Dec 5 09:56:50 UTC 2013


Hi everyone,

Assuming a domain does all the right stuff regarding XSS protection (white listing, output encoding, CSP etc etc) could HTML 5 local storage perhaps be a very interesting candidate for storing session cookies and performing authentication/authorization?

Reading between the lines the following key benefits stood out for me:

Local storage token/cookie not transmitted over  the wire hence minimising opportunity of cookie theft from sniffing

Same origin policy means that local storage cookie will be protected/relatively kimmune from CSRF attacks and hence no additional effort required to CSRF tokenize forms etc. 

Of course, if your site has XSS then local storage cookies can be siphoned off or even injected but assuming for the time being that the site is immune to XSS and hence the lack of http only doesn't really matter and everything going over SSL by default (hence secure flag doesn't really matter) would the above benefits hold true?

Of course the user can mangle the local storage token/cookie but that would  in effect not really be different to doing the same with burp proxy etc as long as token/cookie is sufficiently random complex etc and unable to infer other peoples session tokens for horizontal or vertical priv esc. 

Am I missing something fundamental  from a security perspective here? :-)

Finally are there any local storage authentication/authorization frameworks out there?

Many thanks & kind regards,
Christian Papathanasiou. 




More information about the OWASP-Leaders mailing list