javascript - Should i get access-token from sessionStorage for each request? - Stack Overflow

admin管理员组

文章数量:1277910

So basically when I login my backend returns me a token so I store it like:

// var token is global
token = res.data.token;
sessionStorage.setItem("token", token);

And when I logout I just remove the items from sessionStorage and reset the var:

token = '';
sessionStorage.removeItem("token");

Then in all my requests I use the var to create the header

{ headers: { "Authorization": "Bearer " + token } }

But I don't know if i should keep the token var or just access the storage for each request like:

{ headers: { "Authorization": "Bearer " + sessionStorage.getItem("token"} }

Right now I just use the storage in case the user refresh the page, so he doesn't lose javascript context, because I thought is more efficient than accessing the storage for each request, but I don't know what is the best approach security-wise, or what do usually developers do?

So basically when I login my backend returns me a token so I store it like:

// var token is global
token = res.data.token;
sessionStorage.setItem("token", token);

And when I logout I just remove the items from sessionStorage and reset the var:

token = '';
sessionStorage.removeItem("token");

Then in all my requests I use the var to create the header

{ headers: { "Authorization": "Bearer " + token } }

But I don't know if i should keep the token var or just access the storage for each request like:

{ headers: { "Authorization": "Bearer " + sessionStorage.getItem("token"} }

Right now I just use the storage in case the user refresh the page, so he doesn't lose javascript context, because I thought is more efficient than accessing the storage for each request, but I don't know what is the best approach security-wise, or what do usually developers do?

• javascript
• local-storage
• jwt
• access-token
• session-storage

Share Improve this question Follow edited Jun 11, 2018 at 20:31 pgSystemTester 9,93222 gold badges2626 silver badges5757 bronze badges asked Jun 10, 2018 at 8:41 user7056422user7056422

Add a ment  | 

2 Answers 2

Sorted by: Reset to default 5

It makes no difference from a security perspective; neither is more secure than the other.

If you only need the token when doing an ajax call, don't worry about the overhead of getting it from sessionStorage. That operation doesn't take any significant time at all, certainly not pared with doing an ajax call. You'd only need to cache the result in a variable if you were using it in a tight loop doing thousands of operations (or possibly hundreds of thousands) while the user waited for them. You might want it in a variable for other reasons (convenience, for instance), but there's no efficiency argument in the case you describe.

General rule: Worry about performance when you have a performance problem (but, you know, don't be pletely silly doing things you know are horribly inefficient...). :-)

First things first - if you are loading ANY 3rd party JS, don't use local/session storage to store any sensitive data, including tokens (JWTs I guess?). This type of storage is pletely unprotected; any JS running on your page can access it. Once any of the 3rd party scripts get promised, so does your app (potentially sending all your user session data to an attacker). A JWT is somewhat a username + password equivalent and should be handled as such. Use a secure httpOnly cookie to transfer JWTs or store the session data server-side and have the token bee a signed session cookie.

The overhead of accessing local/session storage is quite negligible. In case you worry about performance a lot, though, load the token into a variable (or some kind of service or store) on app initialisation, construct the Authorisation header using that and access the storage only when the token changes.

Also, take a peak here:

https://dev.to/rdegges/please-stop-using-local-storage-1i04

https://stormpath./blog/where-to-store-your-jwts-cookies-vs-html5-web-storage

Hope this helps a little :-)

本文标签： javascriptShould i get accesstoken from sessionStorage for each requestStack Overflow