re: Please Stop Using Local Storage VIEW POST


Hey Randall,

I definitely agree that storing session information in localStorage is a bad idea. Secure, HTTP only cookies are the way forward for that.

I just wanted to point one thing out around cookies. You said

One of the annoying things about cookies (the only real alternative to local storage) is that they need to be created by a web server. Boo! Web servers are boring and complex and hard to work with.

Firstly, you definitely come up with another alternative to localStorage later in the article with indexedDB. However, you absolutely can write cookies from JavaScript. It's as straightforward as:

document.cookie = "dev.to=awesome";

You can then read the document's cookies again with:


Now, all we need to do is flawlessly fix XSS and we won't have to worry about any of this again!


Good point -- I was referring to the httpOnly ones. Good catch!


Doesn't this approach have the same security flaw as storing an authorization token in the local storage? I mean, every JS code is going to be able to read them.


Well, yes. As Randall points out above, he was referring to httpOnly cookies, which cannot be read or written to from client side JavaScript. I think that paragraph just lacked that context. Client side cookies are just as susceptible to XSS attacks as localStorage. I just didn't agree that just cookies needed a server to write them, httpOnly cookies do though.

code of conduct - report abuse