Skip to content
Start project
Back

Potential Security Issue: Session stored in localStorage (cookieFallback)

  • 0
  • Auth
  • Web
View on Discord
Saimon
9 Sep, 2025, 08:35

I noticed something during testing with CSR login in a Next.js app. After a successful login, Appwrite creates a key in localStorage called cookieFallback, which contains the value of the a_session_<PROJECT_ID> cookie (the actual session). This means that even if I’m using cookie-based authentication, the session is also stored in localStorage. As a result, if the app has an XSS vulnerability, an attacker could simply run:

localStorage.getItem("cookieFallback");

… and steal the session token. This seems like a potential security issue, because one of the main reasons for using HttpOnly cookies is to avoid exactly this kind of XSS token leakage.

Could you clarify whether this is expected behavior or it is an issue??

TL;DR
Developers noticed that after a successful login, the session token is stored in localStorage alongside cookies in a Next.js app. This raises security concerns as it poses a risk of token theft through XSS attacks. They seek clarification on whether this behavior is intentional or a security flaw.
Reply

Reply to this thread by joining our Discord

Reply on Discord

Recommended threads

Need support?

Join our Discord

Get community support by joining our Discord server.

Join Discord

Get premium support

Join Appwrite Pro and get email support from our team.

Learn more