https://kotlinlang.org logo
#multiplatform
Title
# multiplatform
s

Shubham Mogarkar

03/22/2024, 10:12 AM
Hey everyone! I'm exploring session management in a Web Assembly project using Compose multiplatform. In Android, we often use Shared Preferences for data storage. Are there similar mechanisms or libraries available for storing session data effectively in this environment? Any insights or recommendations would be highly valued. Thanks for your assistance.
u

uli

03/22/2024, 11:47 AM
For a SharedPreferences replacement you could take a look at multiplatform-settings by @russhwolf But keep in mind that, as far as i know, for web localStorage is the default implementation which might not be appropriate for some session data aka tokens:
Copy code
If you use localStorage for persisting access tokens and an attacker manages to run foreign JavaScript code within your application, the attacker can exfiltrate any tokens and call APIs directly. Moreover, XSS also allows attackers to manipulate data in the local storage of the application, meaning attackers can change the token.
https://thenewstack.io/best-practices-for-storing-access-tokens-in-the-browser/
r

russhwolf

03/23/2024, 5:27 PM
I'm open to suggestions if you're in need of an alternate backing API.
u

uli

03/24/2024, 12:49 PM
Hi Russell, I am not sure, what the @Shubham Mogarkar wants to store in his key value store. The issue I was pointing out is about data in local storage being accessible through JS and thereby hard to protect against a selection of attacks. At least for the refresh token, http only cookies are suggested instead, which are managed by the browser and directly exposed to the server, without even the local app having access. I guess this is orthogonal to the scope of your framework, an application accessible key value store. So nothing you can do. It’s the App author who has to choose a differen authentication flow.