DEV Community

Discussion on: localStorage VS sessionStorage

Collapse
hulf profile image
hulf

To also add to your discussion, session.storage can also be attacked via XSS javascript, so it is still not a good idea to store anything secure in it. The only currently secure place to store creds is in a cookie and then only if the HTTPOnly and Secure flags are set. This then means that the data cannot be seen via javascript, only the web server. So then any break in via XSS can not retrieve the data and then have someone else use that.

Now as an aside, in theory you could encrypt the data stored and encode in the source ip address of the browser, so if someone does try to reuse it, you can ignore the data as the encoded ip wouldn't match the ip that they were coming from. Again this would have to be done at the web server level were it can see the internet ip address, not the client browser ip, as they will more than likely be nated, so not unique.

Cheers

Fran.