Can user modify the values of variables stored in sessionStorage

Question

I'm using client-side JavaScript to store some variables using Web Storage, more specifically, the sessionStorage.

But I'm not sure whether a user can simply modify the value of such variables in any way? If so, please provide an example of how this could happen.

Answer 1

Yes, users can always modify the values of their own storage. I can think of three ways right off the bat:

• use web browser console to run JS commands that modify storage
• setup client-hosted site with client-specified DNS to run their own code that modifies storage
• open the local storage files and manually edit them

What's important is that you don't trust client storage. If you're going to store session information on the client, then you need some way for your server-side code to verify that the information hasn't been tampered with. There are other reasons you may not want to store this information on the client side (privacy, for example), but assuming you've thought through those, you still need to make sure you either trust the client's data or that you make sure trust isn't necessary.

Answer 2

Not exactly sure in your case, but as a rule sessions should always be handled server side and not client side. The one of the main points of sessions is to remove that data from the client side altogether for security reasons

Answer 3

Completing hrunting and tucker's answers, a user can even alter sessionStorage by simply acessing the browsers dev tools (usually F12).