@dfinity/auth-client sessionStorage

Motokoder · April 25, 2022, 1:40am

I am using @dfinity/auth-client@0.11.1, and I want to store the authentication state in the browser’s session storage instead of local storage.

      const options: AuthClientCreateOptions = {
        storage: new LocalStorage(
          ‘myprefix-‘, window.sessionStorage
        ),
      };

      const authClient = await AuthClient.create(options);

This works fine in a single tab, but when opening links in a new tab, the user is no longer logged-in. When I look at the session storage in Chrome Dev Tools, I can see that it exists in the original tab, but not the new tab.

In contrast, if I do not specify a storage option, leaving the default to local storage, I stay logged-in across tabs, and I can see the authentication data in the local storage of all tabs using Chrome Dev Tools.

The motivation to use session storage is because all session data is lost when all tabs in the session are closed. This is preferred for security so that another user can not open the website later and continue the session.

Is session storage supported? If so, am I using the API correctly? Thanks.

peterparker · April 25, 2022, 4:58am

From the MDN documentation:

Opening multiple tabs/windows with the same URL creates sessionStorage for each tab/window.

The behavior - “when opening links in a new tab, the user is no longer logged-in” - you describe seems correct to me.

Motokoder · April 25, 2022, 1:45pm

@peterparker Thank you for the response. In past SPA projects I was able to maintain session across tabs, but that was because of HTTP Only cookies/OAuth. I realize now that my expectations of sessionStorage were incorrect.

Motokoder · April 25, 2022, 1:50pm

It appears that session state which clears when tabs are closed is possible with some trickery. I’ll do some testing at least, as it would be nice for security purposes.

kpeacock · April 25, 2022, 5:29pm

We have a request from the security team to upgrade the default storage provider to use LocalDB and the WebCrypto API.

That may not serve the exact purposes you are looking for though, so I want you to be aware that you can create your own solution to pass in during the AuthClient.create args, as long as it implements the AuthClientStorage API

Motokoder · April 25, 2022, 5:56pm

Great to know this! Thank you Kyle.

Topic		Replies	Views
Save generated Identity in browser local storage JavaScript Discussing	2	1124	September 20, 2022
Can I use @dfinity/auth-client in react native? Developers	11	547	March 20, 2024
AuthClient (@dfinity/auth-client) can we use two different identity in same web page? Programs & Applications	3	452	April 12, 2023
Issue with the public-private key pair storage strategy Community Tutorials & Video	7	2186	March 15, 2021
User authent on the IC Developers	5	860	July 24, 2020

@dfinity/auth-client sessionStorage

Related topics