Stop using sessionStorage (security/usability issue)

[StyleT]

The defect may already be reported! Please search for the defect before creating one.

Current Behavior:

UI uses window.sessionStorage for auth token

Expected Behavior:

It should be stored in HTTP Only Cookie (better with secure flag).

Why?

• Session Storage / Local storage isn't considered to be a secure storage for auth tokens: https://auth0.com/blog/secure-browser-storage-the-facts/
• Now you can't effectively work with Dependency Track using several tabs as each tab has it's own Session Storage. Many users think that it's a bug as absolute majority of the websites share auth session between tabs.

[stevespringett]

Cookies introduce other issues, notably the inability to specify, in advance, the domain and secure flags, as they are deployment dependent. It would be one additional thing users would have to do in order to get a secure deployment running. They also introduce CSRF which then DT would have to protect against, and do so in a way as to not require the server to maintain state. This likely would mean supporting double submit cookies.

This seems like a lot of unnecessary engineering that will not positively benefit DT. The weakest part of DT is securing the API keys used for automation. These are much more likely to be compromised than a theoretical XSS that could bypass CSP to extract the JWT from session storage.

Not working across tabs is a security feature, however, DT does work across tabs if a user right clicks in the UI and opens a link in a new tab. I think this should work across most browsers. With this feature, closing a tab is essentially the same as the user logging out. I agree, that most users would consider this a usability issue, but I believe this can be overcome through proper education.