To also add to your discussion, session.storage can also be attacked via XSS javascript, so it is still not a good idea to store anything secure in it. The only currently secure place to store creds is in a cookie and then only if the HTTPOnly and Secure flags are set. This then means that the data cannot be seen via javascript, only the web server. So then any break in via XSS can not retrieve the data and then have someone else use that.
Now as an aside, in theory you could encrypt the data stored and encode in the source ip address of the browser, so if someone does try to reuse it, you can ignore the data as the encoded ip wouldn't match the ip that they were coming from. Again this would have to be done at the web server level were it can see the internet ip address, not the client browser ip, as they will more than likely be nated, so not unique.
Cheers
Fran.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
To also add to your discussion, session.storage can also be attacked via XSS javascript, so it is still not a good idea to store anything secure in it. The only currently secure place to store creds is in a cookie and then only if the HTTPOnly and Secure flags are set. This then means that the data cannot be seen via javascript, only the web server. So then any break in via XSS can not retrieve the data and then have someone else use that.
Now as an aside, in theory you could encrypt the data stored and encode in the source ip address of the browser, so if someone does try to reuse it, you can ignore the data as the encoded ip wouldn't match the ip that they were coming from. Again this would have to be done at the web server level were it can see the internet ip address, not the client browser ip, as they will more than likely be nated, so not unique.
Cheers
Fran.