Oauth2 Access Token Security Issue + angular 2
Question
I am storing access token coming from google oauth2 in local storage. Now, the issue is, this is a security issue. Another person can copy the local storage values from my browser and enter the url to access my account. How can we solve this as access token is generally stored in local or session storage only. We can give a logout after say 60 min, like this:
this.expiresTimerId = setTimeout(() => {
console.log('Session has expired');
this.doLogout(440);
}, 3600);
But, the vulnerability exists for 60 min, which may cause security breach. How to avoid this??
1 answers
solution1
0 2017-04-03 10:17:39
I don't know about any simple way of securing an access token against "someone else comes to my computer and misuses my open session" attacks (access tokens use to be bound to client IP address).
You can improve the situation by using sessionStorage instead of the localStorage - it drops its values when a browser tab is closed.
To prevent an attacker from doing any harm, all operations performing data changes or displaying sensitive data would have to be re-authenticated in a similar way as online banking systems use to do it.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.