When building authentication, saving user preferences, or managing sessions, developers often choose between localStorage, sessionStorage, and Cookies.
But the real difference appears in network behavior, security, and persistence.
Letβs break it down.
π§ Storage Architecture (Simple Diagram)
Browser
β
βββ localStorage
β βββ Stored in browser
β βββ NOT sent with network requests
β
βββ sessionStorage
β βββ Stored per tab session
β βββ Removed when tab closes
β
βββ Cookies
βββ Stored in browser
βββ Automatically sent with HTTP requests
Example HTTP Request:
GET /api/profile
Host: example.com
Cookie: sessionId=abc123
Only cookies travel with network requests automatically.
π’ localStorage
Stores data without expiration.
π¦ Size
~5β10MB depending on browser
π Network
Not sent to server automatically
π Security
Accessible via JavaScript β vulnerable to XSS attacks
β
Pros
β’ Large storage
β’ Persistent data
β’ Simple API
β’ Good for UI caching
β Cons
β’ Not secure for sensitive data
β’ Vulnerable to XSS
β’ Server cannot read it directly
π Use Cases
β’ Theme preference
β’ UI settings
β’ Cached API data
π‘ sessionStorage
Same API as localStorage but data exists only for one browser tab session.
π¦ Size
~5MB
π Network
Not sent to server
π Security
Also accessible via JavaScript
β
Pros
β’ Temporary storage
β’ Tab specific data
β’ Auto cleared
β Cons
β’ Lost when tab closes
β’ Not suitable for persistence
π Use Cases
β’ Multi-step forms
β’ Temporary user state
π΅ Cookies
Small data stored in browser and automatically included in HTTP requests.
π¦ Size
~4KB
π Network
Sent with every request to the same domain
Example:
Cookie: sessionId=abc123
π Security Options
β’ HttpOnly β JS cannot access
β’ Secure β only HTTPS
β’ SameSite β protects from CSRF
β
Pros
β’ Server can read automatically
β’ Secure options available
β’ Best for authentication
β Cons
β’ Small storage
β’ Sent with every request (network overhead)
π Use Cases
β’ Authentication sessions
β’ Login state
β’ User tracking
β‘ Real Authentication Flow Example
Modern apps usually use this pattern:
User Login
β
Server verifies credentials
β
Server sets cookie
Set-Cookie: sessionId=xyz; HttpOnly; Secure
β
Browser stores cookie
β
Every API request automatically sends cookie
Example request:
GET /api/user
Cookie: sessionId=xyz
Server reads cookie β authenticates user.
β‘ Quick Comparison
| Feature | localStorage | sessionStorage | Cookies |
|---|---|---|---|
| Size | ~5β10MB | ~5MB | ~4KB |
| Expiration | Never | Tab close | Configurable |
| Network Requests | β No | β No | β Yes |
| Accessible by JS | β Yes | β Yes | Optional |
| Best For | UI data | Temp data | Authentication |
π‘ Security Tip
Avoid storing JWT tokens in localStorage in production apps.
Better approach:
HttpOnly + Secure Cookies
This prevents JavaScript access β protects from XSS attacks.
π― Interview Questions Developers Get
β’ Difference between localStorage and cookies
β’ Why cookies are used for authentication
β’ What is HttpOnly cookie
β’ How cookies prevent CSRF attacks
β’ Storage limits of browser storage
Small frontend decisions like this can impact security, performance, and scalability of your application.
Which one do you prefer for authentication?
Cookies πͺ or localStorage? π€
Top comments (0)