I need to access an api which requires http authentification on a per user basis using a jquery mobile api.
I plan to make the app available as a website as well as packaging it in Cordova for various devices.
If I have a login form which captures the username and password and store this as a javascript variable, is there any way this data could be exposed?
If so, what’s the best alternative to handle storing the users authentification details? I am reticent to build an intermediary server if I don’t have to.
Many Thanks. 😀
I would suggest not storing the username or password in the localStorage, but instead to store an access token. Access tokens can be updated and changed frequently, it also doesn’t reveal who the user is or what their hashed password is.
Besides iOS Keychain or if you’re coding it for a non-iPhone device for added security you can:
Make sure you don’t store the device ID in the localStorage.
For added security you can also store the user’s IP address in the database and check (server side) if the IP address matches, but this might too much since the user would have to login every time they connect to the internet in a new location or if their IP address changes.
Storing the IP address in the server database then checking if it matches (server side) would probably be the safest since it wouldn’t matter if someone got hold of the localStorage data.