Hacker News new | past | comments | ask | show | jobs | submit login

Can someone explain the Cookie vs LocalStorage thing? You can access cookies from Javascript, so how is localstorage worse? Assuming an attacker can execute arbitrary js in the browser (the model provided by the article).

edit: Thanks for the answers - httponly, makes sense.




If you set cookie httpOnly, Javascript cannot see it. So some malicious third party library or XSS attacker cannot steal session. It can still do requests and cookies would be included, so stealing is the main difference.


https://portswigger.net/blog/web-storage-the-lesser-evil-for...

(It not only explains what others have said about httpOnly, but it also goes more in depth on the tradeoffs between the two.)


The author glosses over this but what they mean is that you can set the HttpOnly flag on cookies to prevent them from being accessed via JavaScript.


But is it still sent automatically on ajax requests by browsers?


Yes.


> You can access cookies from Javascript, so how is localstorage worse?

You can access it via JS only if you don't set the httpOnly flag on the cookie.


You can't access a cookie from JavaScript if it is marked with the HttpOnly flag.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: