Firstly, I'm not sure what the format of your authToken
is but localStorage
should not be used for any sensitive data. Using localStorage
works great (and survives browser restarts) as long as your authToken
is relatively tamper-proof either through some form of encryption or nonce.
Essentially, you should be careful that since the value is "visible" to all client-side users it should be assumed to be possible to modify or increment.
Have you thought about revocation of login sessions? For example, if you want to log out all active sessions of your application, how would you do it? Since the authToken
is stored client-side, you may need to add a timestamp (or some other unique value) to it that can be checked server-side.