Can session storage be safe?

javascript session html storage xss
AppBuilder picture AppBuilder · Apr 20, 2011 · Viewed 17.1k times · Source

I would like to use session storage to query user data in the database only once and then simply use JS to retrieve it, so I'm thinking about using session storage. My question is next, is that safe?

Please note:

1. JS can't be inserted to pages with forms (forms only accept alphanumeric values) so it can only come from URL

1.1 Query strings like www.website.com/?q=blablabla are not used in php (php doesn't retrieve any data from url)

1.2 Calling js in url with javascript:script... isn't a big concern since the user can only asccess his own data, not to mention that he can already access it - that's the point of user data

1.3 Is there a third way of a user being redirected to the site via a link that contains JS that will than be able to access session storage? i.e.: somthing like - www.website.com/script...

My guess is that only something like 1.3 would be a threat (in addition to that, am I missing something?) but does that even exist? And if so is there a way to prevent it?

Thanks for your time and replys.

Answer

Paystey picture Paystey · May 4, 2011

You're essentially relying on two things for session storage security:

  1. The browser limiting access only to the javascript on the page from this domain
  2. javascript that is running on the page to be secure

Now there's not a whole lot you can do about No. 1 because that's the vendor's issue and, not pointing at anyone in particular but, most of them are usually pretty good at this kind of thing.

So you can be fairly sure no other code on any other tab, domain, browser or process is going to be able to see your storage object.

However, No. 2 is more difficult, You'll have to evaluate by yourself how secure your page is to script attacks, there's plenty of documentation out there on best practices but you could go on for days. You really need to judge how sensitive the data is versus how much work and possible loss of features it would be to secure against it.

If it's really sensitive data I'd question why you'd risk storing it client side at all and have access only through HTTPS. But you're site should be secured for most scripting attacks because if 3rd party javascript is running session cookies are up for grabs and therefore your server security is compromised too.

Related questions

How to access Session variables and set them in javascript?

In code-behind I set Session with some data. Session["usedData"] = "sample data"; And the question is how can I get the Session value(in my example; "sample data") in javascript and set Session["usedData"] with a new value?

Read More
Invalidating JSON Web Tokens

For a new node.js project I'm working on, I'm thinking about switching over from a cookie based session approach (by this, I mean, storing an id to a key-value store containing user sessions in a user's browser) to a …

Read More
Redis connection to 127.0.0.1:6379 failed - connect ECONNREFUSED

I working with node.js by expressjs I try to store an account to session. So, i try to test to use session with code in expressjs var RedisStore = require('connect-redis')(express); app.use(express.bodyParser()); app.use(express.cookieParser()); …

Read More