0

Until now the output from all inputs, access tokens for authentication and conditionals were saved in cookies in the project that I started working on, so that they are easily accessible at the end of the form to create a ticket. In theory this is a risk, as the user could just adjust the values saved in the cookies. Local storage would not be an option as the values are not deleted after a while. Session storage would serve in a similar way as cookies, as far as I understand, but the values could still be adjusted.

In which cases do I want to use cookies for my values and when to keep them only in the code logic? As I did not make the decision to save everything in the cookies and I haven't found an answer yet, perhaps there are some best practices to follow.

davidbalas
  • 1
  • 1
  • 1
    Validate everything on the backend. You should not trust any user-provided input. You can store them wherever you want, they are still prone to tampering. One could use Postman for example and call your API directly, then your client-side validation becomes useless. You cannot trust any input that your users provide. – Octavian Mărculescu Sep 26 '22 at 09:30
  • Security should never rely on the frontend. For rare use cases where the user rights are stored in a cookie, have them signed by the backend. User can still modify the content but the signature won't match anymore so the backend will reject it – Arnaud Denoyelle Sep 26 '22 at 09:52

0 Answers0