[FIXED] How to securely store localstorage in angular 5

Issue

Is there any way to store localstorage securely, like encrypting and decrypting the localstorage data. I don’t want other users to manipulate the localstorage data.
If that is not possible with localstorage, what are the other ways to store data at client side?

I have seen websql, but that is also get manipulated easily by writing queries in console.

Note: Can you please provide the solution for Angular 2+ !

Solution

Contrary to the other answer, you can securely store any value in the client, where by “securely” I mean the value is not known to the client and/or cannot be modified. The storage mechanism can be localStorage, websql or whatever else. The catch is that Javascript code will not be able to read and/or modify such a value either, because obviously Javascript is the client from what you want to protect such data.

If you have a server-side secret (a key), you can use that to encrypt (for confidentiality) and/or sign (for integrity) any data sent to the client. This is how frameworks like Rails handle sessions by default without server-side persistance and still relatively securely.

Note that simply encrypting a cookie on the server will not necessarily authenticate its contents (see authenticated encryption), and also such a cookie would be vulnerable to replay attacks, against which you can use a timestamp or a nonce. You have to care about forward secrecy if you need it. So in short you have to take care of stuff yourself, which is not straightforward, but not impossible either.

If you only sign data but not encrypt it, Javascript may have access to it, but still won’t be able to modify.

Answered By – Gabor Lengyel

Answer Checked By – Mildred Charles (Easybugfix Admin)

Leave a Reply

(*) Required, Your email will not be published