Remix.run Logo
graypegg 10 months ago

I think one important use case we have for cookies is "Secure; HttpOnly" cookies. Making a token totally inaccessible from JS, but still letting the client handle the session is a use case that localStorage can't help with. (Even if there's a lot of JWTs in localStorage out there.)

emn13 10 months ago | parent [-]

However, potentially a localStorage (and sessionStorage!) compatible cookie-replacement api might allow for annotating keys with secure and/or HttpOnly bits? Keeping cookies and localStorage in sync is a hassle anyhow when necessary, so having the apis align a little better would be nice. Not to mention that that would have the advantage of partially heading off an inevitable criticism - that users don't want yet another tracking mechanism. After all, we already have localStorage and sessionStorage, and they're server-readable too now, just indirectly.

On the other hand; the size constraints on storage will be less severe than those on tags in each http request, so perhaps this is being overly clever with risks of accidentally huge payloads suddenly being sent along with each request.

xp84 10 months ago | parent | next [-]

I think if I were implementing a webapp from scratch today I'd use one single Session ID cookie, store sessions in Redis (etc) indefinitely (they really aren't that big), and for things meant to be stored/accessed on the frontend (e.g. "has dismissed some dumb popup") just use local storage. Dealing with anything to do with cookies is indeed incredibly painful.

mdaniel 10 months ago | parent | prev [-]

> and they're server-readable too now, just indirectly.

Could you point me to more reading about this? It's the first time I've heard of it

graypegg 10 months ago | parent [-]

I think they mean that you can always send back the content of a localstorage property with javascript grabbing the value and sending another request back with it in the body. Since the front end is going to run any javascript the server sends it (disregarding adblockers at least), it's sort of a more indirect version of Set-Cookie.

emn13 10 months ago | parent [-]

Yeah, that's what I meant. There's no built in support; but it's indirectly readable since client-side JS can read it.

j16sdiz 10 months ago | parent [-]

This miss the "HttpOnly" part, which prevents javascript (think script injection vulnerability) from touching this part of the storage