Can session storage be safe?

前端 未结 2 601
情书的邮戳
情书的邮戳 2021-01-31 05:02

I would like to use session storage to query user data in the database only once and then simply use JS to retrieve it, so I\'m thinking about using session storage. My question

2条回答
  •  予麋鹿
    予麋鹿 (楼主)
    2021-01-31 05:34

    You're essentially relying on two things for session storage security:

    1. The browser limiting access only to the javascript on the page from this domain
    2. javascript that is running on the page to be secure

    Now there's not a whole lot you can do about No. 1 because that's the vendor's issue and, not pointing at anyone in particular but, most of them are usually pretty good at this kind of thing.

    So you can be fairly sure no other code on any other tab, domain, browser or process is going to be able to see your storage object.

    However, No. 2 is more difficult, You'll have to evaluate by yourself how secure your page is to script attacks, there's plenty of documentation out there on best practices but you could go on for days. You really need to judge how sensitive the data is versus how much work and possible loss of features it would be to secure against it.

    If it's really sensitive data I'd question why you'd risk storing it client side at all and have access only through HTTPS. But you're site should be secured for most scripting attacks because if 3rd party javascript is running session cookies are up for grabs and therefore your server security is compromised too.

提交回复
热议问题