localstorage is just as vulnerable to being read by JavaScript as cookies are.

localstorage 和 cookie 一样容易被 JavaScript 读取。

localstorage can be read using JavaScript from the samedomain, if you control all the JS on the domain, then this shouldn't be a problem. But if any other code is executed (via injection for example, or if you share the domain with someone else), they will be able to access the storage data.

localstorage 可以从同一个域中使用 JavaScript 读取，如果您控制域上的所有 JS，那么这应该不是问题。但是如果执行任何其他代码（例如通过注入，或者如果您与其他人共享域），他们将能够访问存储数据。

This is the same for cookies however, but typically the cookie is set to HTTPOnly so JavaScript cannot read it.

然而，这对于 cookie 来说是相同的，但通常 cookie 设置为 HTTPOnly，因此 JavaScript 无法读取它。

In either case, plain-text login information shouldn't be stored in either cookies or localstorage anyhow, as if someone does get hold of them, they can continuously make a new session for themselves.

在任何一种情况下，纯文本登录信息无论如何都不应该存储在 cookie 或 localstorage 中，好像有人确实掌握了它们，他们可以不断地为自己创建一个新会话。

You should encrypt an authenticated identifier (such as their user ID) along with the datetime of the session expiration, and then store this value in either a cookie or local storage. This token is then validated on each server call.

您应该加密经过身份验证的标识符（例如他们的用户 ID）以及会话到期的日期时间，然后将此值存储在 cookie 或本地存储中。然后在每次服务器调用时验证此令牌。

If you're going to be using local storage, why store user credentials or anything derived from them at all?

如果您要使用本地存储，为什么要存储用户凭据或从它们派生的任何内容？

What I've been looking into doing is:

我一直在研究做的是：

Upon successful login, generate a completely random string unrelated to user credentials and store that in the database, along with an expiry date. I would then pass that string to my js to be stored in local storage.

成功登录后，生成与用户凭据无关的完全随机字符串，并将其与到期日期一起存储在数据库中。然后我将该字符串传递给我的 js 以存储在本地存储中。

From then on, so long as that local storage credential matches the database one and the timeout has not expired, I automatically consider them logged in.

从那时起，只要本地存储凭据与数据库之一匹配并且超时未过期，我就会自动认为他们已登录。

This way, there is no risk concerning the exposure of the user's credentials from local storage. However, with this temporary unique string essentially functioning as a sessionID, you will still to need to be aware of and take precautions against the risks associated with session hiHymaning.

这样，就不存在从本地存储泄露用户凭据的风险。但是，由于这个临时唯一字符串本质上用作 sessionID，您仍然需要注意并采取预防措施以防范与会话劫持相关的风险。

In any case, my understanding is that local storage is as secure as the server behind your site is. By that I mean local storage is only accessible via scripts coming in through your own domain, so you're safe so long as the only front code running is your own.

无论如何，我的理解是本地存储与站点背后的服务器一样安全。我的意思是本地存储只能通过通过您自己的域进入的脚本进行访问，因此只要运行的唯一前端代码是您自己的，您就很安全。

You server shall generate some token - unique (for the server) piece of data that cannot be used to discover username/password. Only that token can be stored on user's machine in any form. Neither localStorage nor cookie are secure. So the same rules applied to them in this respect.

您的服务器应生成一些令牌 - 无法用于发现用户名/密码的唯一（对于服务器）数据。只有该令牌才能以任何形式存储在用户的机器上。localStorage 和 cookie 都不安全。因此，在这方面，同样的规则适用于他们。

You should have some means to expire such token otherwise once stolen such token can be used instead of real credentials.

您应该有一些方法可以使此类令牌过期，否则一旦被盗，此类令牌就可以代替真实凭据使用。

If you're going to use localStorage instead of cookies, you can make things moresecure than cookies. That's because you don't need to send a session id to the server with each request, making it a bearer token. Instead, you can store a user secret on the client side in localStorage, and use it to sign your requests in addition to the corresponding public key being sent down and used as the session id. This way, no one on the server side or proxy can fake your requests.

如果您打算使用 localStorage 而不是 cookie，您可以使事情比 cookie更安全。那是因为您不需要在每次请求时向服务器发送会话 ID，使其成为不记名令牌。相反，您可以在客户端的 localStorage 中存储一个用户机密，并使用它来签署您的请求，以及发送下来并用作会话 ID 的相应公钥。这样，服务器端或代理上的任何人都无法伪造您的请求。