Browser - Storage (Client Side Data)

About

This page is about client side data (ie stateless session) in the browser.

Data Store

Browser Native

• cookie
• local storage
• Browser - IndexedDb
• WebStorage - name/value pairs - Method of storing data locally like cookies, but for larger amounts of data (sessionStorage and localStorage, used to fall under HTML5).
• WebSql (nor more supported)

Library

In-browser databases that wrap browser storage capabilities:

• LocalForage
• PouchDB (can sync with CouchDb database)

Format

• What is a JWT or JWS token? (Json web signed token)

Security

Secure or sensitive data should not be stored persistently in browser data stores as they should be treated as insecure storage.

• Valid Data: name, email, phone number
• Not valid Data: credentials, credit card numbers.

Because the Web Storage mechanisms are APIs, they can be accessed from injected scripts, making it less secure than cookies with the httponly flag applied.

Documentation / Reference

• https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#html5-web-storage-api