Is web storage preferable over cookies for storing sessionId? [duplicate]

https://stackoverflow.com/questions/14626082

cookies
session-cookies
session-storage
local-storage
web-storage

06-03-2022
|

Frage

Is it more secure to hold the sessionId at client side (to avoid logging in each time) using local storage or session storage rather than using cookies?

Lösung

No! Keep the sessionid at client-side is a bad idea, because it can be easily captured by an attacker (by XSS, for example). Any information hold in web storage is unprotected.

Hold your sessionid in a cookie and don't forget to mark HttpOnly and secure flags.

Lizenziert unter: CC-BY-SA mit Zuschreibung

Nicht verbunden mit StackOverflow