Yeah, that's what I meant. There's no built in support; but it's indirectly readable since client-side JS can read it.

This miss the "HttpOnly" part, which prevents javascript (think script injection vulnerability) from touching this part of the storage