Security - Sessions ( default use - Cookie ) vs. local storage

Question

I'm not concerned with browser compatibility.

I want to know if I move my state from PHP Controlled ( Server-Side) sessions to the JavaScript Controlled ( Client - Side ) HTML 5 local storage will I gain or loose security.

I think that I would gain security because now instead of having the user identifier residing in a cookie, which is usually a file, or sql database that is easily accessible...it is not inside some sort of internal browser storage. + b.c. it is a newer technology I would hope that more security was designed into it.

Do I gain or loose security by moving from PHP Sessions to JavaScript Local Storage. ( This is for things like user id, page_id, etc, the current state that remains after a reload and longer if needed ).

I have a JavaScript solution I want to replace my PHP Sessions with. That is why I ask. I don't care about browser compatibility.

Here is an informative site on Local Storage. But Security was not mentioned.

Answer 1

You wouldn't gain or lose security as in most browsers all data set by sites are stored in the same folder

Answer 2

Both types of local storage (localStorage and Cookies) use some sort of identifier which is obviously stored on the client.

Both use a hash mechanism to secure it from altering to another user.

Local Storage is more secure then cookies ( see here ).

And obviously you have to write the session protocols if you want to move your user identifier from cookies to localStorage.

Both can be stolen to fake being another user. Though less likely with localStorage.

And to make robust you need a fingerprinting technique that will help with above problem.

Answer 3

Local storage is best suited for data that you want to cache on the client in a (more permanent) way then with the regular browser cache. The only way it's "more secure" is if you want to allow the user to work with data that's never sent to the server.

If you're worried about session hijacking, the preferred solution would be to use https/ssl and encrypt all traffic between you and the client. There's a general overview of the problem and solutions on wikipedia (we'd need more information to give you anything much more specific than that, though).

Answer 4

I have a JavaScript solution I want to replace my PHP Sessions with.

No. Do not do it. Sessions are stored in the server side. The cookie that is sent out to the browser is typically an identifier for that record. Session stores user-specific data. Almost anything stored on the client side can be easily modified by the user. So if the user modifies the session to point to another user, the security would no longer hold.

LocalStorage is NOT for storing sessions. Stick with PHP sessions, or any other session mechanism that is implemented on the server side.

Update

But the same security flaw is present...a user can login as one person...fiddle with the session_id of the Session and become someone else...fiddling with a session_id...equates to fiddling with who you appear to be to the server ?...this would be the same as fiddling with an encrypted user_id in local_storage.

No. Suppose I figure out the algorithm you are encrypting with. And I know of another user say UserB. I encrpyted his username using that algorithm. If I somehow overwrite my localStorage with that encrypted string, I am him now. That is not much possible practically. Think of it as there are 100 users and 128 byte-string is the identifier. Are you sure you would be able to fiddle with it and modify it into another record which exists in the table of sessions?