re: Please Stop Using Local Storage VIEW POST


Sorry, but as far as I see the whole point of this article is (for the security argument) to not use local storage, because of XSS attacks.

XSS attacks are a serious thing, but recommending cookies is just silly. Obviously if you have an XSS attack JavaScript can also read your cookie. Even more, it can easily scrape your website and such stuff.

So if you have an XSS vulnerability you have a problem. Period.

OWASP, as you quote, points out a different security aspect, however: Data is locally stored. (obviously, that's how the thing is named). As such other local users may access it. If that surprises you, I think you did not get the concept of a "local storage".
As such, obviously, I agree to not put credit card numbers or other sensitive data in there, which may require a login.
However, what's for sure is that a cookie itself is not really much more secure than local storage. The only advantage it may have is that it can be automatically deleted at the end of a browser session, thus invalidating your own session. But as it seems, JWTs also found a solution for that.


Tom add: Yes, httpOnly (and sameSite) cookies add some security and when you can use them, it's great (for session cookies e.g.)! However, it's also a thing you need to use. You can also use local storage as secure as this.

My point is just, this article calls out local storage as insecure and only shortly explains how cookies should be done to be more secure! It's not at all obvious that when you don't do it properly also cookies are by no means more secure.

code of conduct - report abuse