Depends on the data stored or applies in any implementation?
Yes it depends of the data stored.
Localstorage saves data into the users browser, it is persistent and survives system reboots or shutdowns. Sessionstorage functions almost in the same way, but the data is only saved until the window or the tab is closed.
Saving sensitive information like credentials or session tokens on a localstorage is insecure because of it’s inherent characteristics, any XSS attack can extract data from the storage, also the data could be changed with the same method. Using cookies with the httponly flag is the best way to deal with session tokens and sensitive user information.
2 Likes
Then, there’s no difference between Localstorage and Sessionstorage in the XSS scenario?
Where is the right place to store sensitive information like tokens or credentials?
No, the only difference is the time frame that those methods manage saved objects but for the XSS attack is a simple Javascript command.
As I said up there:
Using cookies with the httponly flag is the best way to deal with session tokens and sensitive user information
@trusting-murdock If this topic is solved, please mark it as such by checking the solution chart at the bottom of the post you consider that properly answers your question.