I noticed something during testing with CSR login in a Next.js app. After a successful login, Appwrite creates a key in localStorage called cookieFallback, which contains the value of the a_session_<PROJECT_ID> cookie (the actual session). This means that even if I’m using cookie-based authentication, the session is also stored in localStorage. As a result, if the app has an XSS vulnerability, an attacker could simply run:
localStorage.getItem("cookieFallback");
… and steal the session token. This seems like a potential security issue, because one of the main reasons for using HttpOnly cookies is to avoid exactly this kind of XSS token leakage.
Could you clarify whether this is expected behavior or it is an issue??
Recommended threads
- Not allowed permission to upsert a prese...
```js const presenceID = ID.unique(); setPID(presenceID); const presence = await presences.upsert({ presenceId: presenceID, status: "online"...
- Finding job
Hi. I am a full-stack developer with experience in developing scalable and user-friendly web applications. I handle both front-end and back-end development, im...
- CDN not delivering correct bundle
My site 69b4cd410035893573dc is not delivering the latest deployed version via CDN, it seems stuck on versions from previoiu days, alternative links for the lat...