Vuex store empty if i refresh my webpage
If you refresh the page (F5) you are re-running your app, so unless you initialize the store with some data, it will get empty as it is when app starts.
You can decide what states you want to keep in this case and save them into the cookie/LocalStorage and then in your
app.js
load them from cookie/LocalStorage into the store. It would be common practice for things like auth token etc as you want to keep user logged in in case of page refresh. Nice post from Stormpath about storing the tokens: https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storageIf Vuex store and whole app is being reloaded when you are navigating from route to route - there is something wrong with your application, probably you are not using VueRouter navigation properly.
To persist state data after app refresh, you can either use localStorage
or sessionStorage
.
XSS: The problems with storing tokens in
localStorage
as you say is about the app being vulnerable to XSS (cross-site-scripting) attacks. Apart from that, it is quite safe. ThelocalStorage
is bound to the domain, so the data ofwww.yourapp.com
will stay there even after the browser is closed also unlike cookies, you won't have to manage which site made the request. All the tabs on the browser with the same domain will be able to use the data in thelocalStorage
If the said behaviour is not needed, you can go for
sessionStorage
, it works almost the same way but the data gets cleared when the browser is closed.Going for cookies, sure they will help saving your token being taken away by an XSS but then you will have to ensure you also provide a
csrf-token
to protect against CSRF (Cross Site Request Forgery) attacks.If you plan on going forward with cookies, then make sure they have the
httpOnly
flag set to true in the headers, else they are no good.
Overall I have seen that localStorage has been a very commonly recommended solution for maintaining tokens and other app data.
I'll add sources to this answer for reference.
CSRF Token necessary when using Stateless(= Sessionless) Authentication? Check the accepted answer and others as well.
https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/HTML5_Security_Cheat_Sheet.md
https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage
https://www.whitehatsec.com/blog/web-storage-security/ This would let you know about the pitfalls and how-to for using localStorage.