
Please Stop Using Local Storage - vquemener
https://www.rdegges.com/2018/please-stop-using-local-storage/
======
air7
This is wrong, IMO. The author states the main risk to LS data is an XSS
vulnerability in the website. While true, an XSS in a website is pretty much a
"game over" and allows the attacker to get any information and perform any
action in the context of the site.

Essentially, if a website has an XSS your information is compromised no matter
what mechanism the site uses to store it.

~~~
brianhama
That’s exactly what I was thinking also. Local storage is protected by the
origin access policy. If that is compromised by XSS, it doesn’t matter how or
where the data is stored; it’s accessible.

~~~
Klathmon
It doesn't even need to be "stored", an XSS attack can pull information that
is simply displayed on the page.

When it comes to web-apps, XSS is game over. It's the web equivalent of remote
code execution.

------
johncoltrane
That was a relatively interesting read except for this line:

> One of the annoying things about cookies (the only real alternative to local
> storage) is that they need to be created by a web server. Boo!

~~~
mjpuser
I agree. The only reason I can think to justify this is that the author is
implying you only should use the HttpOnly flag for security reasons. Still
seems odd that they don’t know you can set cookies with JS.

------
shk1338
OMG, he tell us to not store anything security-critical in Local Storage but
advice to store encrypted session in Cookies instead!

He says that any JS code on the page can access Local Storage but he doesn't
mention that Cookies can be accessed by JS as well as Local Storage. And also,
Cookies will be sent with each request event if request target is an image or
a CSS, when with Local Storage you can decide which data should be sent with
each individual request.

He says that Local Storage can store strings only, but he doesn't tell that
Cookies is even worse than this - it's JUST ONE string at all.

After that he tells about Cookie-related CSRF attacks prevention which not
needed with Local Storage.

Doesn't he contradict himself?

------
heme
"Please Stop Using Local Storage" is not helpful and will confuse people who
are unfamiliar with browser storage. I'm guessing the author meant, "Please
Stop Storing Application Data in the Browser Instead of a Server-Side
Persistence Layer (DB)". Local Storage is a specific thing in the browser and
is useful in specific cases.

I found a good comparison of all browser storage options on Quora:
[https://www.quora.com/What-is-the-difference-between-
session...](https://www.quora.com/What-is-the-difference-between-
sessionstorage-localstorage-and-Cookies)

I believe all of the author's stated shortcomings of local storage apply to
all browser storage options.

* String Only

* Synchronous

* No Web Worker Support

* Size Limits (smaller for cookies but all have limits)

* Any JavaScript code on the page has access (don't include scripts you don't trust)

Also, keep in mind...

* There is no guarantee the browser will encrypt the content on disk. I believe chrome encrypts cookies, but I'm don't think others do. I don't believe local storage is encrypted at all. Session storage & session cookies should only be in memory. You shouldn't be storing PII in the browser anyway.

* These storage options can't be accessed by other domains as they conform to the same origin policy, but this is an important caveat: The "origin" of the script is the page it is executed in, not where it comes from. So, if you include <script src="[http://somehacker.com/superLib.js"></script>](http://somehacker.com/superLib.js"></script>) it will execute in your origin and can access everything. Protect your users by only including scripts you know are safe. * [https://stackoverflow.com/questions/12543978/same-origin-pol...](https://stackoverflow.com/questions/12543978/same-origin-policy-and-serving-js-from-a-cdn) * [https://developer.mozilla.org/en-US/docs/Web/Security/Same-o...](https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy)

In short, do some research and use the right tool for the right job.

------
freddywang
Well, localstorage is still much better than cookies. Browser includes cookies
on all requests to your server. There is no way javascript can tell browser to
stop that!!! Now, stop using cookies!!!!

