Skip to content

fix(security): move session credentials to sessionStorage#547

Open
Namraa310806 wants to merge 1 commit into
FireFistisDead:masterfrom
Namraa310806:fix/session-storage-credential-handling
Open

fix(security): move session credentials to sessionStorage#547
Namraa310806 wants to merge 1 commit into
FireFistisDead:masterfrom
Namraa310806:fix/session-storage-credential-handling

Conversation

@Namraa310806

@Namraa310806 Namraa310806 commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

Summary

This PR fixes a security-related credential persistence issue where session credentials were documented as being stored in sessionStorage, but legacy behavior could still result in credential persistence through localStorage.

The implementation now fully aligns with the intended security model by storing session credentials in sessionStorage, adding a safe migration path for existing users, and introducing regression tests to prevent future regressions.

Changes Made

Session Credential Storage

  • Replaced credential persistence logic with sessionStorage.
  • Removed reliance on localStorage for active session credentials.
  • Ensured session credentials remain tab-scoped.

Legacy Migration Support

  • Added automatic migration of existing session credentials from localStorage to sessionStorage.
  • Automatically removes migrated credentials from localStorage.
  • Preserves existing active sessions during upgrade.

Data Validation Improvements

  • Added defensive handling for malformed storage entries.
  • Prevented invalid session records from being restored.
  • Improved resilience of session restoration logic.

Regression Test Coverage

Added tests covering:

  • Session credential storage in sessionStorage
  • Migration from legacy localStorage entries
  • Cleanup of migrated credentials
  • Duplicate session handling
  • Invalid/corrupted storage data
  • Preservation of non-sensitive application preferences

Security Impact

This change reduces credential exposure by ensuring:

  • Session credentials are scoped to the current browser tab.
  • Credentials are automatically cleared when the tab closes.
  • Credentials are no longer persisted across browser restarts.
  • The exposure window during potential XSS incidents is reduced.

Files Modified

  • frontend/src/App.js
  • frontend/src/App.test.js

Verification Checklist

  • Credentials stored in sessionStorage
  • Legacy localStorage migration implemented
  • Migrated credentials removed from localStorage
  • Session restoration continues to function correctly
  • Regression tests added
  • Existing application functionality preserved

Related Issue

Fixes: #499

@vercel

vercel Bot commented Jun 15, 2026

Copy link
Copy Markdown

@Namraa310806 is attempting to deploy a commit to the firefistisdead's projects Team on Vercel.

A member of the Team first needs to authorize it.

@coderabbitai

coderabbitai Bot commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

Warning

Review limit reached

@Namraa310806, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 44 minutes and 16 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: c9e1b178-6bf4-445a-9b90-d1536152ea98

📥 Commits

Reviewing files that changed from the base of the PR and between 5590b87 and 9894d48.

📒 Files selected for processing (2)
  • frontend/src/App.js
  • frontend/src/App.test.js
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions github-actions Bot added duplicate This issue or pull request already exists enhancement New feature or request feature A new feature or improvement fix A targeted fix or cleanup frontend Frontend-related work invalid This doesn't seem right rag-service FastAPI / model service work type:security type:testing labels Jun 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

duplicate This issue or pull request already exists enhancement New feature or request feature A new feature or improvement fix A targeted fix or cleanup frontend Frontend-related work invalid This doesn't seem right rag-service FastAPI / model service work type:security type:testing

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: Session Credentials Persist in localStorage Despite Security Logic Claiming sessionStorage Usage

1 participant

@Namraa310806