re: Please Stop Using Local Storage VIEW POST

re: Hey Randall, I definitely agree that storing session information in localStorage is a bad idea. Secure, HTTP only cookies are the way forward for ...

Doesn't this approach have the same security flaw as storing an authorization token in the local storage? I mean, every JS code is going to be able to read them.


Well, yes. As Randall points out above, he was referring to httpOnly cookies, which cannot be read or written to from client side JavaScript. I think that paragraph just lacked that context. Client side cookies are just as susceptible to XSS attacks as localStorage. I just didn't agree that just cookies needed a server to write them, httpOnly cookies do though.

code of conduct - report abuse