1

I want to know the major security threats involved in storing the session variables in client side local storage, instead of storing it in the cookies. Can somebody give me a brief description?

Anandu M Das
  • 1,981
  • 14
  • 31
  • 46

1 Answers1

3

I assume you mean a server-side identifier, like PHPSESSID or ASPSESSIONID.

Client accessibility comes to mind. With cookies, they can be marked as HttpOnly, thus making them unreadable from JavaScript. This mitigates an attacker that exploits XSS from stealing your session cookie because a complying browser will refuse to give the cookie to the malicious script.

Local storage on the other hand, has no such protection that I am aware of. Local storage is never sent to the server by the browser (where cookies are), so it would be useless to have local storage that cannot be read client side.

vcsjones
  • 215
  • 2
  • 9
  • It is possible to send local storage to server. Usually web applications like shopping sites stores the cart details temporarily in local and send to the server at the end of browsing session. – Anandu M Das Oct 27 '14 at 08:04
  • @AnanduMDas the only way to send it to the server is to have client script send it - which then an attacker can do with XSS, too. You could use CSP to prevent that, though some browsers, like IE, have weak support for CSP. – vcsjones Oct 27 '14 at 11:07