Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

<@U04UQ68083H> is using browser localstorage or a cookie to save flow IDs a safe way of persisting flows through a browser reload?

Ory's security model does not recommend storing tokens in `localStorage` or `document.cookies` due to the security risks associated with these methods. Instead, Ory implements special browser APIs which use additional security measures such as anti-CSRF cookies. This approach is designed to protect your users from common browser attack vectors, such as Cross-site scripting (XSS) or Cross-site request forgery (CSRF).  In the context of flows, Ory uses HTTP cookies to prevent CSRF and Session Hijacking attack vectors. For example, when making requests for the browser flow, Ory recommends using the `-c` flag to store the cookies in a file and the `-b` flag to read the cookies from the file on subsequent requests. This method ensures that all security requirements are fulfilled and that the flow IDs are persisted safely through a browser reload.  For more information, you can refer to the [Ory Documentation](<https://www.ory.sh/docs/security-model>).