Okay I have an API written in node.js that I'm trying to add session functionality to. the API is completley RESTful. When the user logs in, I send the user/pass combo with a GET ajax call to the /login endpoint. The server then salts the password and compares it to the hash stored in my mongo db. It will then respond with true or false depending on the success of the login.
What I want to implement is this: When a user enters a valid login, the server generates a session key. This key is stored in mongo in the user's document. This session key is then returned with the GET request. This session key will then be included in the JSON body of all future requests to allow the user access to their account information.
My question: Is it safe to store this session key in the browser's localStorage or sessionStorage? Will this open the user up to any vulnerabilities?
Heres a link to secruity.stackexchange that explains the possible vulnerabilities. According to the W3C, web storage is safe for sensitive data.