I noticed something during testing with CSR login in a Next.js app.
After a successful login, Appwrite creates a key in localStorage called cookieFallback, which contains the value of the a_session_<PROJECT_ID> cookie (the actual session).
This means that even if I’m using cookie-based authentication, the session is also stored in localStorage. As a result, if the app has an XSS vulnerability, an attacker could simply run:
localStorage.getItem("cookieFallback");
… and steal the session token.
This seems like a potential security issue, because one of the main reasons for using HttpOnly cookies is to avoid exactly this kind of XSS token leakage.
Could you clarify whether this is expected behavior or it is an issue??
TL;DR
Developers noticed that after a successful login, the session token is stored in localStorage alongside cookies in a Next.js app. This raises security concerns as it poses a risk of token theft through XSS attacks. They seek clarification on whether this behavior is intentional or a security flaw.
