User-Token security in single page application

jonas-eberhard · March 6, 2019, 9:53am

Hey guys,

I want this to be a more a general question and discussion thread. We are thinking about restructuring our application webpage and build it as a single page application. This has the advatage, that the webserver does not need any session handling any more, as well as the single page application (SPA) would just be another client to the backendless API.
Currently we are using many PHP scripts in the webpage and all requests to the backendless API are done in PHP. Also dynamic AJAX requests from the webpage are going to PHP scripts, which are then calling the backendless API.

My concerns about a single application is the security of the user-token. There is only the way to store it in the local/sessionStorage, as the Backendless JS SDK does. The advantage of the PHP session solution was, that the user-token is never forwarded to the browser and JS, so there were less XSS and CSRF problems.

Any ideas how to improve the security of a SPA? Any recommendations to build a secure SPA?

Cheers,
Jonas

sergey.kuk · March 6, 2019, 10:20am

Hello @jonas-eberhard

In my opinion PHP session is not more secure then store user token in the local storage. Because if someone has access to your browser he can get the session and use it. https://en.wikipedia.org/wiki/Session_hijacking

jonas-eberhard · March 6, 2019, 10:36am

Thats right, PHP session cookies are vulnerable with CSRF attacks, the browser localStorage for XSS.
So it seems just to be a tradeoff how to secure the website agains either attacks.

An a non professional JS developer, I find securing agains CSRF easier, but maybe because I’m more used to admin servers.