DEV Community

Cover image for Cookies vs Local Storage

Cookies vs Local Storage

Pragati Verma on May 23, 2021

One of the most popular myths in the web dev community is around cookies & local storage. It's also a commonly asked interview question. Let's ...
Collapse
 
pobx profile image
Pobx

I agree with you about we did not store a sensitive data in localStorage. Actually, It's a place for access_token(public data) that is enough.

Collapse
 
asimaltayb profile image
asim altayb

What about store user info like email, phone number and name
And his access_token
All of them encrypted
In local storage

Collapse
 
pragativerma18 profile image
Pragati Verma

Hey Asim, ideally, you can't secure local storage and it is not recommended to store any sensitive data in local storage. You can try and encrypting it, but there is a catch. Encrypting it on the client is possible, but would mean the user has to provide a password and you have to depend on not-so-well-tested javascript implementations of cryptography.

Encrypting on the server side is of course possible, but then the client code cannot read or update it, and so you have reduced localStorage to a glorified cookie.

If it needs to be secure, its best to not send it to the client. What is not in your control can never be secure.

Collapse
 
pobx profile image
Pobx

How to encrypt all above of them. I have no idea about it.

Thread Thread
 
pragativerma18 profile image
Pragati Verma

Although, it's not preferred to store data in localStorage but if you want to encrypt it, you can try the below links:

Thread Thread
 
pobx profile image
Pobx

Thank you for your information. I was read both of them on gitHub. I think the secure-ls libraries sound good. but I don't have idea to used it for more secured my localStorage because I need to set a key in client application(like js) and it's can read by browser network tab(Edge, Chrome). Thank you for your advice.

Collapse
 
yosh profile image
Yosh (यशोधन)

Worth noting that server cookies sent over HTTPS with the Secure flag are indeed encrypted.

Collapse
 
ikehakinyemi profile image
17th_streetCode

Great content, Verma.🥰

From this, “ SQL injection can be performed from a cookie”.

Could you provide a verbose possibility of this? Like what’s the possible code scenario through which this can happen.

Thank you.

Collapse
 
johann_lr profile image
Johann

Is the local Storage really as big as 5Mb per domain in general? I use an application storing a bit more there…

Collapse
 
pragativerma18 profile image
Pragati Verma

Hey, Johann. localStorage capacity varies by browser, with 2.5MB, 5MB, and unlimited being the most common values. Google Chrome, Mozilla Firefox, and Opera provide 10MB per origin. You can also customize the storage size.

You can use this test to check for the storage size in your browser.

Hope this helps. If you have any other doubts, let me know.

Collapse
 
johann_lr profile image
Johann

Thanks for the answer!

Collapse
 
asimaltayb profile image
asim altayb

What about store user info like email, phone number and name
And his access_token
All of them encrypted
In local storage

Collapse
 
pragativerma18 profile image
Pragati Verma

Hey Asim, ideally, you can't secure local storage and it is not recommended to store any sensitive data in local storage. You can try and encrypting it, but there is a catch. Encrypting it on the client is possible, but would mean the user has to provide a password and you have to depend on not-so-well-tested javascript implementations of cryptography.

Encrypting on the server side is of course possible, but then the client code cannot read or update it, and so you have reduced localStorage to a glorified cookie.

If it needs to be secure, its best to not send it to the client. What is not in your control can never be secure.