Wednesday, 29 March 2017

Does HTML5 web storage (localStorage) offer a security advantage over cookies?




I was looking up alternative to cookies and I've read about HTML5 web storage here, and I've read a simpler explanation here but I still don't get how it works fully. Can someone offer a slightly non-techinical explanation so that I can then understand the technical bits. It says about browsers having to store key value pairs but where and how is it stored and why is it inaccessible to other sites? Why isn't it considered just an other form of cookies?




  1. I'm looking for a thorough and complete alternative to cookies; as in if my organisation wants to replace all it's websites from using cookies to say an alternative for say web-storage then can we easily say 'Yes' to that requirement? Let's assume only the latest browsers are used.


  2. How and in what ways does web-storage enhance security when
    compared to cookies? Does it have potential to compromise security
    in other ways? Is there someone with any real life experiences who
    can share the pros and cons?



Answer






Both cookies and localStorage are protected from access by unrelated domains by the Same Origin Policy.



The difference is that localStorage is only accessible through JavaScript, whilst cookies are accessible through JavaScript1 and sent with each HTTP request.



There isn't much of a security benefit of using localStorage as opposed to cookies. The difference between the two is because the goal is different: localStorage can be used for things you'll only use in JavaScript, whilst cookies can be used for storing things you need on the server (as well).



Both can be accessed by anyone that has access to the browser of a user's computer and both localStorage and cookies can be accessed by JavaScript that is executed on the web page. (For the latter, see the exception below.)




You can see this if you enter localStorage or document.cookie in the browser console.




  1. You can set the HTTPOnly flag on a cookie so it isn't accessible through JavaScript.





Since there is already a lot of information available on using localStorage, I will just refer to two web sites documenting it:








How the data is stored differs per browser. Below, I give information on how Mozilla Firefox stores cookies and local storage.



Note: instructions on how to find your Firefox profile are available in this article at Mozilla Support.



Cookies




Firefox stores your cookies in your profile folder in a file named cookies.sqlite. This is a SQLite database. Opening the file using SQLiteStudio shows that the database contains one table, moz_cookies.



Table structure



The table is structured as follows:



Table structure of the moz_cookies table in cookies.sqlite in the Mozilla Firefox profile directory



Table contents




Here is a part of the contents of my cookies.sqlite database:



Contents of of the moz_cookies table in cookies.sqlite in the Mozilla Firefox profile directory



LocalStorage



Firefox stores your localStorage data in your profile folder in a file named webappsstore.sqlite. This is a SQLite database. Opening the file using SQLiteStudio shows that the database contains one table, webappsstore2.



Table structure




The table is structured as follows:



Table structure of the webappsstore2 table in webappsstore.sqlite in the Mozilla Firefox profile directory



Structure of the column contents:




  • scope:

    • ::



  • KEY:

    • The name name of the stored value.


  • value

    • The stored value


  • secure


    • This column isn't used.


  • owner

    • This column isn't used.




Table contents




Here is a part of the contents of my webappsstore.sqlite database:



Contents of of the webappsstore2 table in webappsstore.sqlite in the Mozilla Firefox profile directory



This is the same as the data that I get when I type localStorage in the console at the web page https://login.persona.org.





As you can see, data from both cookies and local storage is stored by the browser in the same way. If you are concerned about the safety of data that is being stored at the user's computer, localStorage offers no security benefit over cookies.




In fact, it may even be a greater risk, because you can set cookies to expire after a certain time, whilst localStorage won't expire. Thus, data saved in localStorage may remain at the user's computer for longer than if you would have if you had used cookies.



(If, however, you only need to store data for the duration of a single session, you can use sessionStorage instead of localStorage.)


No comments:

Post a Comment

c++ - Does curly brackets matter for empty constructor?

Those brackets declare an empty, inline constructor. In that case, with them, the constructor does exist, it merely does nothing more than t...