
How EU Cookie Law Myths Affect Web Security - kuschku
https://www.rdegges.com/2018/how-eu-cookie-law-myths-affect-web-security/
======
bvttf
going to go with Burp's devs on this one
[http://blog.portswigger.net/2016/05/web-storage-lesser-
evil-...](http://blog.portswigger.net/2016/05/web-storage-lesser-evil-for-
session.html)

~~~
rdegges
I just read that article: it was super interesting.

The author there found that many people recommend using cookies over web
storage -- that's actually the exact opposite of the advice I've seen. This
was written a few years ago, however.

Anyhow: I disagree with the author. I think what he's missing out on in his
analysis is how common/easy/widespread XSS actually is.

XSS is far harder to defend against than CSRF. Because of this the surface
area of what you have to protect against is much greater and usually out of
the control of an individual developer on a project. I'm actually doing a more
thorough writeup of this currently which I plan to publish sometime tomorrow.

