Use secure cookies as default storage method for Auth

[ffxsam]

I realize this is a breaking change, so maybe reserve this for a major version. Secure cookies are a more secure option than using localStorage.

[manueliglesias]

Hi @ffxsam

Thanks for the suggestion/feature-request!

[ffxsam]

More info:
https://auth0.com/docs/security/store-tokens

Don't store tokens in local storage
Browser local storage (or session storage) is not secure. Any data stored there may be vulnerable to cross-site scripting. If an attacker steals a token, they can gain access to and make requests to your API. Treat tokens like credit card numbers or passwords: don’t store them in local storage.

[cliffordh]

@manueliglesias Any update on this one?

[cliffordh]

any update on this one?

[aggied]

bump -- just adding my +1 for this feature request.

[max77p]

I was testing auth.signIn and I noticed it stores everything in localstorage identityid/cognitoidp/accesstoken/id token/refresh token. Why is this? This is not safe at all right or am i mistaken?

[ffxsam]

Correct. But you can override it: https://aws-amplify.github.io/docs/js/authentication#manual-setup
(see cookieStorage property)

[max77p]

Thanks @ffxsam. I have a followup to this: If i open 3 tabs, sign in using three different users, then signout/close one tab. What do i need to do with amplify to sign that user out only and keep the remaining three users signed in?

In addition, if I sign in to the same user three times in three different tabs, does signing out in one tab invalidate the other two tabs?

[ffxsam]

What you're asking for is not possible. One tab or four, they're all using the same shared cookies and local storage if it's the same website. Typically you would use a different browser or an incognito/private tab to log in as a different user in a different window.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[ericclemmons]

Closing as secure cookies can be set with a custom storage adapter:

https://docs.amplify.aws/lib/auth/manageusers/q/platform/js#managing-security-tokens

(localStorage is still the default)

[EvanErickson]

Hello, thank you for aws-amplify. Our dev team loves it. Why is local storage still the default for aws-amplify? Is it just out of convenience? I see we can switch over to cookies, thanks for the links (above) but still wondering why this hasn't been patched, or if it is even necessary.

Thanks and have a great day.

[github-actions]

This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs.

Looking for a help forum? We recommend joining the Amplify Community Discord server *-help channels or Discussions for those types of questions.