My API returns an access token after a user signs in.

All future requests must include this token in the Authentication header.

I'd like users to remain logged in even if they close and re-open the browser.

Can I safely store an encrypted version of this access token in localStorage, retrieve it, unencrypt it in my React client code and send it off to the API?

My API returns an access token after a user signs in.

All future requests must include this token in the Authentication header.

I'd like users to remain logged in even if they close and re-open the browser.

Can I safely store an encrypted version of this access token in localStorage, retrieve it, unencrypt it in my React client code and send it off to the API?

• javascript
• reactjs
• jwt

Share Follow asked Mar 7, 2019 at 2:42 slindsey3000slindsey3000 4,30155 gold badges4242 silver badges5858 bronze badges 4

• 1 You can, but if you control the API you may want to consider using cookie based storage and preventing access via CORS. This prevents XSS attacks from obtaining access to encrypted authentication data. – coreyward Commented Mar 7, 2019 at 3:00
• 1 nccgroup.trust/us/about-us/newsroom-and-events/blog/2011/august/… – Victor Commented Mar 7, 2019 at 3:27
• 1 security.stackexchange./questions/173620/… – Victor Commented Mar 7, 2019 at 3:27
• 1 I would remend you to move away from local storage to keep sensitive information, it is not safe. At work, we have a bunch of single-page applications using cookies to keep the access token of the user, which is a much safer solution. You can read more about why we should be using cookies instead of local storage to keep sensitive information in this link: dev.to/rdegges/please-stop-using-local-storage-1i04 – Nícolas Iensen Commented Mar 7, 2019 at 6:06

Add a ment  | 

1 Answer 1

Sorted by: Reset to default 5

Sure, you could use something like this https://www.npmjs./package/aes-js or another library if you like at https://www.npmjs./search?q=keywords:encrypt.

I think the real question is why? The user can always see the unencrypted value in the network request of the dev tools. If the access token is tied to a username and password that the user owns why can't they see it? It's really just another way to write their username and password. If it is associated with an username that belongs to your app (such as your server uses that username to login to another server for all requests, not just for this one user) then you shouldn't pass it to the browser ever because it is easy to steal.