HMAC / Javascript - where to store the secret?

Question

The client gets it's secret for HMAC encryption after it's first login on the server - but what's the best way to store the secret on the (java-script) client? cookie, localStorage? thx

Answer 1

Well the answer is, it depends. localStorage and cookies are not equivalent. Although they both can be used to store information on the client, they serve very specific goals. localStorage is meant to store application's data locally. It cannot be set directly from the server and is not sent to the server through HTTP headers either.

You may also have a look at sessionStorage.

However, cookies are typically created from the server (even if there's a JS API) through HTTP headers and they contain expiry information. Once set, they will be part of every client request's HTTP headers, allowing the server to access the information.

Both ways are probably equally secure since they both cannot be accessed from another domain. However if you are transmitting secure information you should probably do it through HTTPS as well.

Answer 2

The best way is pretty subjective.

If you must store it on the client (you must, I assume), then it can't be secure, it just can't.
Putting that aside, the best way depends on your situation.

Are you trying to target older browsers? Then you can't use local storage.

Since we've already removed security from the equation, your most far-reaching, cross-browser-compatible solution is to store it in a cookie.
That's also probably one of the easiest solutions, though certainly the least secure (since your only form of security here is obscurity, and cookies are... not obscure).