22Mar
Does saving the cookie or jwt token in the browser raise a security risk?
I have an admin screen, once I access it, it asks for login credentials, then after I login, I get a token that is saved under local storage (see screenshot below)
Noting that I am using edge browser in private mode, when I opem a new tab, I am directly directed to the admin screen without login (which seems normal since token is saved in browser), but the weird thing is that even when I open a new edge browser in private mode I still can see the token when I access the admin url. Few questions here:
- Is there a security issue here with saving the token on the browser side?
- I tried to take the token and inject it in burp as a header but the request failed, I am missing something here ?( I tried also adding it as a cookie but didn't work, seems I am missing something here)
- Is it normal that when opening a new edge browser in private mode it is still loading the token?