| ▲ | lknuth 4 days ago | |||||||
To expand on the "not as secure" comment: local storage is accessible to every JS that runs in the context of the page. This includes anything loaded into the page via <script src=""/> like tracking or cookie consent services. | ||||||||
| ▲ | brabel 4 days ago | parent | next [-] | |||||||
And I feel like it's important to expand on the fact that Cookies are visible to JS by default as well, except if the Cookie has the `HttpOnly` attribute set. Obviously, for auth, you absolutely want the session cookie to have both the `Secure` and `HttpOnly` attributes. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#bl... | ||||||||
| ▲ | vbezhenar a day ago | parent | prev [-] | |||||||
Scripts can do almost everything, for example replace the whole page with login page identical to the real and send entered password somewhere. Leaking session identifier is bad, but it's not as severe compared to other things scripts can do. | ||||||||
| ||||||||