DEV Community


Discussion on: localStorage vs cookies: the "tabs vs spaces" sterile debate of web development 🙄

bpedroza profile image

What are you talking about?

The server is a MUCH safer place to store secrets. Please provide a link to any reputable article that says otherwise. If we're talking about access tokens (or any user specific secret), where do you think the token gets validated? The server HAS TO know these or there is no way to secure communication between the server and the client.

Storing secrets on the client does not inoculate your server from being hacked. Further, if the server gets hacked, the data your were trying to protect is no longer secure anyways, so the point is moot.

Typically session data need not contain sensitive information. If there is sensitive information, store it in memory. Don't persist it. For any non-sensitive data, use local or session storage to your heart's content. I'm not saying don't use these technologies, I'm saying don't persist secrets there.

Thread Thread
oguimbal profile image
Olivier Guimbal Author

Yea... I totally agree to everything you've said, I've never said anything adverse to what you're writing, so I dont understand your comment. I'm only speaking about authentication tokens storage (which must be stored clientside... and yes, obviously validated by the server on each request)

[EDIT] Sorry, I've not seen that this was not intended to me... The notification did not mention it. Leaving my comment anyway :)