Why isn't localStorage used instead of cookies? ( and in other cases as well )

Question

According to MDN it is suppose to be more secure than cookies for storing persistent data on the client.

However, checking the localStorage of facebook.com, twitter.com, and linkedin.com I can see that it is not being used.

Oddly, linkedin does have the key ( in localStorage ) 8df when logged in , but trying to access it throws an error.

Answer 1

My guess (hopes this qualifies has an answer)

Web Storage is compatible with most common browsers: http://caniuse.com/namevalue-storage .

For things that don't need to transit with session: what probably happens is that cookies is most commonly known and easy to use. There are lots of companies with average skilled ppl, who will run away when confronted with things out of their confort zone.

Edit after Python Fanboy's answer (+1 from me): read his answer.

Answer 2

According to MDN it is suppose to be more secure than cookies for storing persistent data on the client.

Taking a quick look at Facebook's cookie, for example, I see things like userid, authentication tokens, presence indicator for chat, and window size. (Not posting my cookie here for obvious reasons).

The feature that makes cookies "less secure" (cookies are sent with the HTTP request) is the feature they need in this case because it's part of their communication protocol. Authentication tokens are useless if they aren't sent to the server for, well, authentication.

Simply put, they aren't using localStorage in this case because they aren't trying to store things locally.

Answer 3

localStorage has this drawback which cookies doesn't have: it's stored values aren't sent automatically with all HTTP requests so without more implementation Your server won't know what's stored in browser's localStorage.

localStorage is supported in IE since IE8.