2

I'm developing a single page booking application using angular which interacts with my REST API.

I have various routes defined in my application and I'm using local storage to store the state of each page as a user fills in their information. Once the user has filled in everything, I post this to my API, generate a hash and redirect them to a payment gateway before coming back to a results page. The reason for local storage is so we can persist a users filled in details, even if they close the page and re-open it.

I shouldn't store sensitive information such as user names and addresses in local storage though, because this leaves me vulnerable to cross site scripting.

Storing this information on the server would break the stateless principles of REST API's.

Are there any suggestions on how to best architect my application?

Anton Rand
  • 262
  • 5
  • 19

1 Answers1

1

Edit: the content below is incorrect. Cookies and local storage are both domain restricted. Local storage's main weakness is that it can be accessed and modified by local users and programs indiscriminately, and that treating the contents of local storage as trusted input opens the door to nasty DOM XSS and stored XSS attacks.

One option would be to use cookies to store the user's information. You could have a cookie per field, set the cookie when the user fills in the field, and read the cookies to populate the fields when the user loads the page.

Community
  • 1
  • 1
F. Stephen Q
  • 3,898
  • 1
  • 17
  • 42
  • 1
    I was under the impression that Local Storage is also [domain specific](http://stackoverflow.com/questions/4201239/in-html5-is-the-localstorage-object-isolated-per-page-domain)? I'd also still be at risk of cross site attacks, as they can be accessed through JavaScript. I'd ideally use HTTP only cookies but by their very nature these can't be accessed or modified via JavaScript. – Anton Rand Oct 01 '15 at 16:15
  • You are absolutely correct; my brief research brought me to a completely incorrect conclusion. – F. Stephen Q Oct 01 '15 at 17:39