Discussion on: Please Stop Using Local Storage

View post

I disagree on the security concerns with LS and JWT. As others have said, you will have a much larger concern if an attacker can inject JS into your site. Proper use of JWT is implementing expirary and sensible authorization after one has authenticated.
Deferring to the Auth0 docs, they recommend LS or cookies for storage.

Randall Degges • Feb 7 '18 • Edited

I'm very familiar with Auth0 and have a lot of friends there. That being said: the recommend incorrect things all the time.

Nobody is perfect, especially not security companies! We get things wrong all the time ^{^}

Suhas Chatekar • Feb 5 '18

They do not recommend, they say you "can" use local***
Right after that they say, you can use cookies too
For both options they tell you what can go wrong
For the local storage option, they mention XSS, exactly the thing this article is trying to educate us about

Kyle Pollich • Feb 2 '18

Deferring to Auth0 is a great call here.

auth0.com/docs/security/store-toke...