Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
graypegg 5 days ago

I think one important use case we have for cookies is "Secure; HttpOnly" cookies. Making a token totally inaccessible from JS, but still letting the client handle the session is a use case that localStorage can't help with. (Even if there's a lot of JWTs in localStorage out there.)

emn13 5 days ago | parent [-]

However, potentially a localStorage (and sessionStorage!) compatible cookie-replacement api might allow for annotating keys with secure and/or HttpOnly bits? Keeping cookies and localStorage in sync is a hassle anyhow when necessary, so having the apis align a little better would be nice. Not to mention that that would have the advantage of partially heading off an inevitable criticism - that users don't want yet another tracking mechanism. After all, we already have localStorage and sessionStorage, and they're server-readable too now, just indirectly.

On the other hand; the size constraints on storage will be less severe than those on tags in each http request, so perhaps this is being overly clever with risks of accidentally huge payloads suddenly being sent along with each request.

xp84 5 days ago | parent | next [-]

I think if I were implementing a webapp from scratch today I'd use one single Session ID cookie, store sessions in Redis (etc) indefinitely (they really aren't that big), and for things meant to be stored/accessed on the frontend (e.g. "has dismissed some dumb popup") just use local storage. Dealing with anything to do with cookies is indeed incredibly painful.

mdaniel 5 days ago | parent | prev [-]

> and they're server-readable too now, just indirectly.

Could you point me to more reading about this? It's the first time I've heard of it

graypegg 5 days ago | parent [-]

I think they mean that you can always send back the content of a localstorage property with javascript grabbing the value and sending another request back with it in the body. Since the front end is going to run any javascript the server sends it (disregarding adblockers at least), it's sort of a more indirect version of Set-Cookie.

emn13 5 days ago | parent [-]

Yeah, that's what I meant. There's no built in support; but it's indirectly readable since client-side JS can read it.

j16sdiz 5 days ago | parent [-]

This miss the "HttpOnly" part, which prevents javascript (think script injection vulnerability) from touching this part of the storage