Can you confirm that you don’t recommend storing session tokens in localStorage ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		timwis on Dec 17, 2020 \| parent \| context \| favorite \| on: Sick of spending time on Auth, we built an open so... Can you confirm that you don’t recommend storing session tokens in localStorage / anything accessible by client-side JS? (It’s a commonly recommended bad practice these days)

advaitruia on Dec 17, 2020 [–]

Yes, we do not recommend storing tokens in localstorage. This is also recommended by other security bodies such as OWASP and NIST. We've written a blog post on this topic as well, that you can read here:

https://supertokens.io/blog/cookies-vs-localstorage-for-sess...

timwis on Dec 17, 2020 | [–]

Great! Pleased to see this :)

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact