Skip to content

Security: tokens stored in sessionStorage while TokenService JSDoc claims httpOnly (misleading + XSS-exfil) #226

Description

@ahmetabdullahgultekin

Auth tokens are cached in sessionStorage (XSS-readable), but the TokenService JSDoc claims httpOnly-cookie storage / 'no client-side token storage' — the doc describes the ideal, the code does the opposite.

Evidence (origin/main): src/core/services/TokenService.ts:8-33 JSDoc claims httpOnly; SecureStorageService.ts uses sessionStorage; TokenService caches tokens (~lines 110-123).

Fix (pick one, reversibility-sensitive): migrate to backend-set httpOnly cookies (larger), OR at minimum delete/correct the misleading JSDoc so it matches reality. Mitigations today: 15-min access TTL + CSP.

Source: MASTER_ISSUE_REGISTER_2026-06-03 (WEB-1) + SECURITY_FINDINGS_2026-06-01 §2, re-verified on origin/main 2026-06-13.

Metadata

Metadata

Assignees

No one assigned

    Labels

    securitySecurity-sensitive correctness or hardeningsurface/webweb-app (React dashboard + hosted login)

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions