DEV Community

Cover image for Sessions and Cookies and (local)Storage, Oh My!
El Marshall (she/they)
El Marshall (she/they)

Posted on • Updated on

Sessions and Cookies and (local)Storage, Oh My!

Cookies, Sessions, and LocalStorage are all methods of storing data client-side, and specifically on the user's browser. Why do we have so many different versions? Do I need to know them all?? They are all super similar, but do have key differences that make them useful for different purposes. It's important that you understand the benefits and limitations of each so that you can choose which is most appropriate to use for any given application.

Cookies are a much older concept than either Sessions or LocalStorage, and are also much more limited in size. This is because the entirety of a cookie is actually passed back to the server with each request. You can see why you need to keep them small!

LocalStorage and Sessions are much closer to each other than either is to Cookies. They use similar setting and access methods, and can store similar sizes of information. In fact, there's really just one big thing that distinguishes them from each other: Sessions data is isolated to the current tab or window. As soon as you close that tab or window, the information goes away. This is why it's referred to as "Sessions." LocalStorage data, on the other hand, will persist across multiple windows and tabs of the same browser (as will cookies).

We saw above that Session data persists so long as you have that "session" open. LocalStorage will persist indefinitely, until the user or the program deletes it. Cookies have an expiration set by the code. They can be set to expire anywhere from just a few seconds or minutes down the line to a date so far in the future that it is essentially indefinite (such as the year 9999).

So to sum up:
A table listing the expiration methods and accessibility across tabs for all three types of storage discussed.

Consider these differences when implementing any kind of browser storage. Cookies are great for password tokens when you want a user to be logged out after a period of inactivity, for instance, while localStorage is good when you want a user's password and username info to stay put, allowing them to be automatically logged in on every visit. Sessions are good if having multiple pages of the same content up might mess with the running of your program.

How to actually set and access all these methods are really quite simple, but not something I'm going to go over here. This video lays the high level basics out pretty clearly.

Hopefully this serves as a clear and concise resource for someone!

EDIT: Also worth noting are the varied security risks. It's not a good idea to use Local Storage for sensitive info such as user passwords, for instance, since it's vulnerable to xss attacks.

Top comments (11)

Collapse
 
atleastitry profile image
Matt Hope

Also probably worth noting that localstorage probably shouldn’t be used for sensitive information (like user passwords session identifies, etc) as it’s susceptible to xss attacks.

Collapse
 
patarapolw profile image
Pacharapol Withayasakpunt

What do you think about firebase auth being in localStorage by default?

Although can be set in cookies as well. I tried, but I failed...

Collapse
 
atleastitry profile image
Matt Hope

Hmm ideally you don’t wanna be putting any sensitive data in local storage as its openly accessible via JS. What problems did you have with configuring your session via cookies?

Thread Thread
 
patarapolw profile image
Pacharapol Withayasakpunt • Edited
  • How do I get csrfToken from the server? Another HTTPS request, or just js-cookie? There is no form or template rendering here...
    • Actually, IIRC, cookie is just a line of string to be parsed.
  • I want to persist not only session itself, but also user credentials.
Thread Thread
 
dpkahuja profile image
Deepak Ahuja 👨‍💻

Encryt both fields to jwt and set it in cookie-session.

Thread Thread
 
dpkahuja profile image
Deepak Ahuja 👨‍💻
Collapse
 
elmarshall profile image
El Marshall (she/they)

Good point, I'll make an update.

Collapse
 
gsarig profile image
Giorgos Sarigiannidis • Edited

Maybe the size difference could be a part of the comparison table, as in some cases it might be the key factor in one's decision.

Collapse
 
david_ojes profile image
David Ojesekhoba

Really informative!
I recently had to use localStorage for a voting app I'm working on in .NET

Collapse
 
a1tem profile image
Artem Petrusenko • Edited

You forgot to add if we use SSR we don’t have an access to the local storage :-( but we can still use cookies

Collapse
 
willwallaceii profile image
William Wallace

What is a good example for using local storage?