DEV Community


Discussion on: localStorage vs cookies: the "tabs vs spaces" sterile debate of web development 🙄

bpedroza profile image

I agree with you; These arguments are kind of old and no one ever wins. For me the answer is simple. Don't ever store anything sensitive in either of these.

darkwiiplayer profile image

Don't ever store anything sensitive in either of these.

That only leaves the server, and that's the last place where you should want to store anything sensitive. Not only can you get hacked, just as the user can; said user doesn't even have any control to at least wipe the data if they want to be absolutely sure it won't be leaked.

Then there's the small but important factor that some data needs to be on the client, like session data, which can often be used to exfiltrate pretty much everything else from the server (although recently some large platforms have started to always ask for a password for certain operations, which somewhat mitigates this)

bpedroza profile image

What are you talking about?

The server is a MUCH safer place to store secrets. Please provide a link to any reputable article that says otherwise. If we're talking about access tokens (or any user specific secret), where do you think the token gets validated? The server HAS TO know these or there is no way to secure communication between the server and the client.

Storing secrets on the client does not inoculate your server from being hacked. Further, if the server gets hacked, the data your were trying to protect is no longer secure anyways, so the point is moot.

Typically session data need not contain sensitive information. If there is sensitive information, store it in memory. Don't persist it. For any non-sensitive data, use local or session storage to your heart's content. I'm not saying don't use these technologies, I'm saying don't persist secrets there.

Thread Thread
oguimbal profile image
Olivier Guimbal Author

Yea... I totally agree to everything you've said, I've never said anything adverse to what you're writing, so I dont understand your comment. I'm only speaking about authentication tokens storage (which must be stored clientside... and yes, obviously validated by the server on each request)

[EDIT] Sorry, I've not seen that this was not intended to me... The notification did not mention it. Leaving my comment anyway :)