DEV Community

loading...

Discussion on: localStorage vs cookies: the "tabs vs spaces" sterile debate of web development 🙄

Collapse
artis3n profile image
Ari Kalfus • Edited

"If someone owns you, someone owns you."

There is a LOT of room inside this statement. What do they own? Is XSS (cross-site scripting, executing arbitrary javascript) only accessible on the Contact Us form? If an attacker cannot access session credentials, then there is not much they can do with that attack.

There are significant challenges for an attacker when authentication credentials are inaccessible vs. it is incredible easy to steal user data with access to credentials. There are layers of defensive controls in place (or should be in place) on a website.

This is a good page to get started on understanding the subtleties and various other security controls in place on websites.

"Protecting against CSRF is not that easy, and beginners are not even aware of it"

See portswigger.net/web-security/csrf/...

Collapse
oguimbal profile image
Olivier Guimbal Author • Edited

Agreed, there is a lot of room in the sentence you mentioned :)
My intention was not to deliver a detailed technical article, rather to express an opinion that is not heard as much as I feel it deserves. So thanks for your link !

That said, just a precision though: when dealing with SPAs, there is no such thing as "only in contact us form"... once you've injected some JS, you're in the place until the user leaves or refreshes.

Once your injected code is running, with cookies auth, you will probably be able to perform whatever GET request against the server to steal whichever userdata you want: They'll be kindly authenticated for you by the browser.

At least, with tokens instead of cookies, you get a chance to hide your auth token in a private scope.

But anyway, my point was not to prove that one if better than another :)