All the commenters that say localStorage is safe is missing the point of session token hijacking vs hijacking an active session. If you got an XSS then your hijack is good for the time the user is interacting with the site at best as long as you don't lose your hook.
If you can hijack their session token you need milliseconds. You're in and out, to carry on your attack.
A lot of these web devs have not worked in the days prior to HttpOnly and on a site with a large number of page views that took in a lot of user generated content. Don't take HttpOnly for granted. Don't let your creativity for compound attacks to hijack a session token confuse the best defense mechanism for session hijacking attacks with a low barrier of entry.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
All the commenters that say localStorage is safe is missing the point of session token hijacking vs hijacking an active session. If you got an XSS then your hijack is good for the time the user is interacting with the site at best as long as you don't lose your hook.
If you can hijack their session token you need milliseconds. You're in and out, to carry on your attack.
A lot of these web devs have not worked in the days prior to HttpOnly and on a site with a large number of page views that took in a lot of user generated content. Don't take HttpOnly for granted. Don't let your creativity for compound attacks to hijack a session token confuse the best defense mechanism for session hijacking attacks with a low barrier of entry.