Saying "don't use localStorage because its accessible by JavaScript" is indeed a very bad argument but doesn't really say anything. Don't use if for what? This article is, just like the premise, comparing apples to oranges.
I think from your article you meant that people say that localStorage shouldn't be used as a storage mechanism for authentication/authorization tokens. That means that the real debate is session in a cookie vs 'token-that-will-likely-be-stored-via-a-storage-api-such-as-localstorage'.
That said. Using localStorage is fine. Using JWTs is overrated and in most cases actually done insecurely. I don't think anyone should be condescending when mentioning this, but I think they often are because they don't understand why it's seen as problematic by those in SecOps.
Yup, you're right, I did not specifically mention that it was "localstorage as a mean to store auth tokens". I thought it was kind of implicit π.
I agree, things are most often actually implementd insecurely. That statement also applies to cookie usage, and lets be honest, to the pretty much everything when you're dealing with security...
It might have been the implicit intention, but I do think there is a big difference between discussing JWTs stored in localstorage or localstorage as a technology.
Regardless, Sven Slootweg made two compelling posts in 2016 pointing out why using JWTs (stored in localstorage) instead of using a session cookie is a bad idea, and I think he does it without being distasteful about it.
I think that, as developer, we should be aware of these points so that when we do choose to use a JWT stored in localstorage as a session token, instead of using a cookie for session authentication, we can actively guard that we use a good implementation. So instead of saying "everything is insecure", we say "we're informed, and decided that it's Good Enoughβ’".
People who blatantly say "don't use JWTs" or "don't use localStorage" without elaboration or without understanding the nuance of each decision are honestly not worth your (or my) time. It's indeed pointless.
I don't agree that it's the same as tabs vs spaces, but it definitely has the same level of tribalism (and with that it becomes pointless shouting instead of constructive debate).
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Saying "don't use
localStorage
because its accessible by JavaScript" is indeed a very bad argument but doesn't really say anything. Don't use if for what? This article is, just like the premise, comparing apples to oranges.I think from your article you meant that people say that
localStorage
shouldn't be used as a storage mechanism for authentication/authorization tokens. That means that the real debate is session in a cookie vs 'token-that-will-likely-be-stored-via-a-storage-api-such-as-localstorage'.That said. Using
localStorage
is fine. Using JWTs is overrated and in most cases actually done insecurely. I don't think anyone should be condescending when mentioning this, but I think they often are because they don't understand why it's seen as problematic by those in SecOps.Yup, you're right, I did not specifically mention that it was "localstorage as a mean to store auth tokens". I thought it was kind of implicit π.
I agree, things are most often actually implementd insecurely. That statement also applies to cookie usage, and lets be honest, to the pretty much everything when you're dealing with security...
It might have been the implicit intention, but I do think there is a big difference between discussing JWTs stored in localstorage or localstorage as a technology.
Regardless, Sven Slootweg made two compelling posts in 2016 pointing out why using JWTs (stored in localstorage) instead of using a session cookie is a bad idea, and I think he does it without being distasteful about it.
I think that, as developer, we should be aware of these points so that when we do choose to use a JWT stored in localstorage as a session token, instead of using a cookie for session authentication, we can actively guard that we use a good implementation. So instead of saying "everything is insecure", we say "we're informed, and decided that it's Good Enoughβ’".
People who blatantly say "don't use JWTs" or "don't use localStorage" without elaboration or without understanding the nuance of each decision are honestly not worth your (or my) time. It's indeed pointless.
I don't agree that it's the same as tabs vs spaces, but it definitely has the same level of tribalism (and with that it becomes pointless shouting instead of constructive debate).