Reputation: 36054
Is it okay to store session id in localStorage?
Is it secure to store user's session id in localStorage? On w3.org site, they say
User agents must raise a SECURITY_ERR exception whenever any of the members of a Storage object originally returned by the localStorage attribute are accessed by scripts whose effective script origin is not the same as the origin of the Document of the Window object on which the localStorage attribute was accessed.
So does this mean localStorage could be used for sensitive data?
Upvotes: 20
Views: 12185
Answers (2)
Reputation: 707716
It depends upon what you mean by "is it secure"?
localStorage is about as secure as a non-path restricted cookie. From web pages, it can only be accessed by pages from the same domain. Zillions of sites store session ids in cookies which have about the same security restrictions as localStorage.
Outside of web pages, neither localStorage nor cookies are secure at all from access by other programs or even web debugging tools running on the same computer.
Upvotes: 15
Reputation:
httpOnly cookies provide a layer of XSS defence that localStorage does not provide:
httpOnlycookies are not accessible from [potentially malicious] JS.localStorageis accessible from JS.
Session IDs should be stored in httpOnly secure cookies.
Upvotes: 32
Related Questions
- Are there any benefits to Session Storage over Local Storage?
- How to combine advantages of localStorage and sessionStorage
- How to store objects in HTML5 localStorage/sessionStorage
- LocalStorage JS - is it safe to store data to keep persistent after refreshing the page?
- HTML5 LocalStorage to maintain session across pages/tabs under same domain
- Is it safe to store the user information in localStorage?
- How to keep localstorage session specific?
- Is storing User Id and Password in localStorage or sessionStorage safe?
- Are there any security concerns storing HTTP Basic authorization header in localStorage?
- Save information of ID's (BD) in localStorage is a bad practice?