Security and performance impact of client-side token storage methods

Sammanfattning: Applications store more data than ever before, including sensitive information such as user data, credit card information, and company secrets. Due to the value of this data, malicious actors have a financial incentive to employ a variety of attacks against applications in order to gain access to it. As a consequence, application owners protect data behind authorization systems, with a common solution being token-based authentication systems in which the user’s client receives and stores an access token after successful authentication. Developers seeking to create secure and effective applications face a number of questions. How do clients store these tokens and are they vulnerable to attack? What is the most secure way to store these tokens, and how do different storage methods impact the user experience? The objective of this study is to answer these questions by comparing current storage methods available to developers of frontend applications. Literature was reviewed and an empirical study conducted so that comparisons could be made. Six storage options were found to be viable choices for review and ultimately it was concluded that In-memory storage with closures was the most secure storage option, but that this choice could have an impact on the usability of the application depending on the user desire for data persistence.