How to store didsession strings securely?

0xEE3CA4dd4CeB341691 · February 4, 2023, 1:01am

What are the options for storing session strings securely in a non-custodian way?

WARNING
LocalStorage is used for illustrative purposes here and may not be best for your app, as there is a number of known issues with storing secret material in browser storage. The session string allows anyone with access to that string to make writes for that user for the time and resources that session is valid for. How that session string is stored and managed is the responsibility of the application.

// An updated version of loadSession(...) using localStorage
const loadSession = async(authMethod: AuthMethod, resources: Array<string>):Promise<DIDSession> => {
  const sessionStr = localStorage.getItem('didsession')
  let session

  if (sessionStr) {
    session = await DIDSession.fromSession(sessionStr)
  }

  if (!session || (session.hasSession && session.isExpired)) {
    session = await DIDSession.authorize(authMethod, { resources })
    localStorage.setItem('didsession', session.serialize())
  }

  return session
}

Context:
Warning: LocalStorage is used for illustrative purposes here and may not be best for your app, as there is a number of known issues with storing secret material in browser storage. The session string allows anyone with access to that string to make writes for that user for the time and resources that session is valid for. How that session string is stored and managed is the responsibility of the application.
from doc: DID Session - Ceramic Developers

spencer · February 26, 2023, 11:41pm

Sorry for the delayed response @0xEE3CA4dd4CeB341691! The whole team has been very busy this past month getting ready for our big launch of ComposeDB Beta happening this week.

I’m tagging in @zfer and @jthor to take a look at your question about storing the didSession.

jhoang · August 2, 2023, 3:50am

Did you ever figure this out?

spencer · August 2, 2023, 6:43pm

ping @zfer @jthor. CC @mzk

jthor · August 3, 2023, 10:57am

Imo, I think localstorage is an ok option. The main security risk you are running is that a malicious browser extension steals the key.

This can be made much more secure by using the webcrypto apis where keys can be made “non-extractable”. There was a new did:key provider merged recently: feat: add webcrypto based did:key provider by oed · Pull Request #155 · ceramicnetwork/js-did · GitHub

But support is still needed to be added in did-session (PRs are welcome)