Glitch should store user token in cookie instead

Currently Glitch stores user token in LocalStorage which creates security vulnerability where an attacker can create a code or extension to steal it without user’s notice and be able to perform some actions that user would not like. In a conclusion Glitch should store user token in Cookie instead with Secure, SameSite and HttpOnly flags, which will make stealing user token a lot harder.

What do you think, is that a good idea? and why?

1 Like

Yes, that’s a bad idea.

2 Likes

You also could make a script which collects cookies and sends it to a server which people will auctally do (hence everyone complaining about their robux/accounts being stolen)

There is a tutorial for that which Blogger (a.k.a Google) refused to take down.

Basically you could get cookies and fetch them to a server using JavaScript. Which has happened and people fall for it daily.

It is also easy for people who make YouTube videos to get your token.

also noting you can require fs somewhere and run this

fs.writeFile('/heheboisthetoken', cookie); // the cookie would be their token

I didn’t know fs could run client side. How do you do that?

No :man_facepalming:

node.js when you are on /

1 Like