Is web storage preferable over cookies for storing sessionId? [duplicate]

https://stackoverflow.com/questions/14626082

cookies
session-cookies
session-storage
local-storage
web-storage

06-03-2022
|

Question

Is it more secure to hold the sessionId at client side (to avoid logging in each time) using local storage or session storage rather than using cookies?

Solution

No! Keep the sessionid at client-side is a bad idea, because it can be easily captured by an attacker (by XSS, for example). Any information hold in web storage is unprotected.

Hold your sessionid in a cookie and don't forget to mark HttpOnly and secure flags.

Licensed under: CC-BY-SA with attribution

Not affiliated with StackOverflow