How to store didsession strings securely?

What are the options for storing session strings securely in a non-custodian way?


WARNING
LocalStorage is used for illustrative purposes here and may not be best for your app, as there is a number of known issues with storing secret material in browser storage. The session string allows anyone with access to that string to make writes for that user for the time and resources that session is valid for. How that session string is stored and managed is the responsibility of the application.

// An updated version of loadSession(...) using localStorage
const loadSession = async(authMethod: AuthMethod, resources: Array<string>):Promise<DIDSession> => {
  const sessionStr = localStorage.getItem('didsession')
  let session

  if (sessionStr) {
    session = await DIDSession.fromSession(sessionStr)
  }

  if (!session || (session.hasSession && session.isExpired)) {
    session = await DIDSession.authorize(authMethod, { resources })
    localStorage.setItem('didsession', session.serialize())
  }

  return session
}

Context:
Warning: LocalStorage is used for illustrative purposes here and may not be best for your app, as there is a number of known issues with storing secret material in browser storage. The session string allows anyone with access to that string to make writes for that user for the time and resources that session is valid for. How that session string is stored and managed is the responsibility of the application.
from doc: DID Session - Ceramic Developers

Sorry for the delayed response @0xEE3CA4dd4CeB341691! The whole team has been very busy this past month getting ready for our big launch of ComposeDB Beta happening this week.

I’m tagging in @zfer and @jthor to take a look at your question about storing the didSession.

1 Like