I definitely agree that storing session information in localStorage is a bad idea. Secure, HTTP only cookies are the way forward for that.
I just wanted to point one thing out around cookies. You said
One of the annoying things about cookies (the only real alternative to local storage) is that they need to be created by a web server. Boo! Web servers are boring and complex and hard to work with.
Firstly, you definitely come up with another alternative to localStorage later in the article with indexedDB. However, you absolutely can write cookies from JavaScript. It's as straightforward as:
document.cookie = "dev.to=awesome";
You can then read the document's cookies again with:
console.log(document.cookie);
Now, all we need to do is flawlessly fix XSS and we won't have to worry about any of this again!
Doesn't this approach have the same security flaw as storing an authorization token in the local storage? I mean, every JS code is going to be able to read them.
Well, yes. As Randall points out above, he was referring to httpOnly cookies, which cannot be read or written to from client side JavaScript. I think that paragraph just lacked that context. Client side cookies are just as susceptible to XSS attacks as localStorage. I just didn't agree that just cookies needed a server to write them, httpOnly cookies do though.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Hey Randall,
I definitely agree that storing session information in
localStorage
is a bad idea. Secure, HTTP only cookies are the way forward for that.I just wanted to point one thing out around cookies. You said
Firstly, you definitely come up with another alternative to
localStorage
later in the article withindexedDB
. However, you absolutely can write cookies from JavaScript. It's as straightforward as:You can then read the document's cookies again with:
Now, all we need to do is flawlessly fix XSS and we won't have to worry about any of this again!
Good point -- I was referring to the httpOnly ones. Good catch!
Doesn't this approach have the same security flaw as storing an authorization token in the local storage? I mean, every JS code is going to be able to read them.
Well, yes. As Randall points out above, he was referring to
httpOnly
cookies, which cannot be read or written to from client side JavaScript. I think that paragraph just lacked that context. Client side cookies are just as susceptible to XSS attacks as localStorage. I just didn't agree that just cookies needed a server to write them,httpOnly
cookies do though.