Best Practice for Storing Login Credentials in ClojureScript

Question

In ClojureScript, I initially stored login credentials and authorization information in an atom state. However, I encountered a persistent issue where the atom state gets flushed upon page refresh, leading me to explore alternative storage solutions.

Previous Approach:

(set! (.-cookie js/document) {:customer true :supplier false :admin false :user "test" :company "company-test"})

Questions:

• I'm seeking recommendations for a more reliable way to store login credentials persistently on the client side without losing data upon page refresh.

• Is storing sensitive data such as login credentials in cookies a secure approach? Are there potential vulnerabilities or better alternatives that offer enhanced security?

Answer 1

The best practice to store credentials (login+password+whatever else) on the frontend side is not to store them. You store a secure cookie with the right session ID, not the credentials themselves. If the cookie is not a session one, it's a permanent one. Such a cookie also has an expiration date. Of course, that requires you to have a backend that can store all the session information.

I wouldn't call the map in your code block "credentials", it's more like "user properties" or something like that. They shouldn't be persisted anywhere except for the server, and on every page load those details should be retrieved again using the session ID stored in the cookie. Note that you don't need to do anything on the client side to make cookies work - it's all done on the backend.

Answer 2

You can encrypt (hard to crack, and cannot tamper) or encode (easy to crack, and cannot tamper) your data.

On the clientside in localstorage, for example, instead of storing actual credentials, consider using authentication tokens (like JWTs). The server issues a token upon successful login, and the client stores this token. The token is then used for subsequent requests to authenticate the user.

The token has all the info, you send it over the wire with each request, the token is read by the server and server confirms it is legit, and knows who is doing the actions.

To create such a token,

1. User Authentication Initial Login: The user logs in with their credentials (username and password). Server Validation: The server validates these credentials against the stored user data (usually in a database).

2. Token Generation Create Token: Upon successful login, the server generates a token. This can be a random string or a structured token like JWT (JSON Web Token). Include Necessary Information: For JWT, include claims like user ID, issued time, and expiration time. Be cautious not to include sensitive information. Sign the Token: If using JWT, sign the token with a secret key. This ensures that the token can't be tampered with.

3. Send it over (https) to the client

4. Send back [from client] to server on every request

5. Have server check the expiration time on the token and if coming up soon,

6. Refresh the token for an uninterrupted experience

7. When expired, redirect to login