DEV Community

loading...

Discussion on: localStorage vs cookies: the "tabs vs spaces" sterile debate of web development πŸ™„

Collapse
sleeplessbyte profile image
Derk-Jan Karrenbeld

Saying "don't use localStorage because its accessible by JavaScript" is indeed a very bad argument but doesn't really say anything. Don't use if for what? This article is, just like the premise, comparing apples to oranges.

I think from your article you meant that people say that localStorage shouldn't be used as a storage mechanism for authentication/authorization tokens. That means that the real debate is session in a cookie vs 'token-that-will-likely-be-stored-via-a-storage-api-such-as-localstorage'.

That said. Using localStorage is fine. Using JWTs is overrated and in most cases actually done insecurely. I don't think anyone should be condescending when mentioning this, but I think they often are because they don't understand why it's seen as problematic by those in SecOps.

Collapse
oguimbal profile image
Olivier Guimbal Author

Yup, you're right, I did not specifically mention that it was "localstorage as a mean to store auth tokens". I thought it was kind of implicit πŸ˜‘.

I agree, things are most often actually implementd insecurely. That statement also applies to cookie usage, and lets be honest, to the pretty much everything when you're dealing with security...

Collapse
sleeplessbyte profile image
Derk-Jan Karrenbeld

It might have been the implicit intention, but I do think there is a big difference between discussing JWTs stored in localstorage or localstorage as a technology.

Regardless, Sven Slootweg made two compelling posts in 2016 pointing out why using JWTs (stored in localstorage) instead of using a session cookie is a bad idea, and I think he does it without being distasteful about it.

I think that, as developer, we should be aware of these points so that when we do choose to use a JWT stored in localstorage as a session token, instead of using a cookie for session authentication, we can actively guard that we use a good implementation. So instead of saying "everything is insecure", we say "we're informed, and decided that it's Good Enoughβ„’".

People who blatantly say "don't use JWTs" or "don't use localStorage" without elaboration or without understanding the nuance of each decision are honestly not worth your (or my) time. It's indeed pointless.

I don't agree that it's the same as tabs vs spaces, but it definitely has the same level of tribalism (and with that it becomes pointless shouting instead of constructive debate).