We have a project and we will use token de autorização , we are using AngularJs for front end and back we develop in Java using Spring Framework and Spring Security , and send token header .
But my question is:
What is the best place to store token de autorização in the client part, Local Storage or Cookies and what is the difference between the two?
It depends!
With cookies, you do not have to worry about sending the token to every request, because the browser will take care of this and other things like:
path , within the same domain; Cookie has size limitations (4 KB) when compared to localStorage (5MB), but to store tokens this will not be a problem.
But if you are working with OAuth, for example, it will often require you to control two tokens (the authorization token and renewal token) and the advantages of the Cookie are not relevant in context, it is best to concentrate both in the localStorage, for the sake of organization.
This would be my position thinking about implementation. There are security issues for each solution that should be taken into account as well, as both solutions are vulnerable to some types of attacks ( XSRF, XSF and XSS).