I am building a basic webapp using Firebase that requires authentication and session handling. Going over the docs for Firebase Auth, I decided to use the email/password option over the Facebook login.
Upon successful login, we get a token that could be used again for logging in when the page refreshes or on a new tab using auth(). But, for that we would need to save the token somewhere on the client side. Going through the source code for Firefeed which implements auth and session handling, the token is saved in the localStorage of the user’s browser.
How secure is this approach? Since localStorage data would be visible to anyone using the browser. Is there any better alternative to this?
The tokens returned by the Simple Login are time-bound, user-specific tokens. If compromised, they will at worst allow an attacker to impersonate that user for a limited period of time. They do not contain the user’s password or other sensitive data.
localstorage can only be accessed by Javascript on the host domain from which it was saved, so other sites you visit will have no access to it (assuming the browser or your site haven’t been compromised, but if they have, all bets are off…)
So, short answer, this approach is quite secure.