0

If you don't use third-party cookies or they are blocked in browser's settings. And if your cookies have SameSite=Strict attribute. How their behavior differ from localStorage? If your site use localStorage it still can save some user_id in there and identify the user. Actually it even can send this user_id to a third-party!

So what's the difference?

Why these nagging messages on every other site about using cookies? But not about using any other kind of local storage?

And yes, I understand that cookies are sent with every request while with localStorage you need intentionally send the locally saved info. But still, nobody warns that they can identify a user and even leak this info, just that they use cookies. Isn't this just an illusion of privacy and everyone will be better off without this illusion?

x00
  • 13,643
  • 3
  • 16
  • 40

1 Answers1

0

localStorage is also known as Web Storage, HTML5 Storage, and DOM Storage (these all mean the same thing).

localStorage is similar to sessionStorage, except that data stored in localStorage has no expiration time, while data stored in sessionStorage gets cleared when the browsing session ends (i.e. when the browser / browser tab is closed). Session storage is used much less often than localStorage, and exists only within the current browser tab - even two tabs loaded with the same website will have different sessionStorage data. sessionStorage data survives page refresh, but not closing/opening the tab. LocalStorage data, on the other hand, is shared between all tabs and windows from the same origin. LocalStorage data does not expire; it remains after the browser is restarted and even after OS reboot.

Both localStorage and sessionCookies work in the same way and can be altered by the user. Session cookies(if not persistent) are usually removed when you close the browser. Session cookies are usually used for keeping track of login information, shopping carts etc. localStorage still persists even though you've closed the browser and does not expire

Final note is, both localStorage and Cookies can be altered by user and hence, provide no security whatsoever.

Ryan M
  • 18,333
  • 31
  • 67
  • 74
Tirth Mehta
  • 329
  • 2
  • 9
  • Thanks for the edit, @Ryan M! I felt highlighting main points could help them understand the concept in a better way. I did not know that it is discouraged. Thanks again! – Tirth Mehta Jun 12 '20 at 17:49
  • 1
    This answer has no connection to the question. Everything except for the final note is just a random info on client-side persistence. But the final note is about security, while there is nothing about security in my question. It's about privacy. – x00 Jun 13 '20 at 08:00
  • @x00 "provide no security whatsoever" this literally answers your question. The "random info" which you mentioned is for other people who might not know the difference. On other note, you can provide a better answer to your own questions. Cheers (: – Tirth Mehta Jun 13 '20 at 10:29
  • If I could answer the question I probably wouldn't have posted it. How does "provide no security whatsoever" answers the question? EU gov and a lot of people implementing cookie warning messages for some **unknown reasons** (at least to me) seam to think otherwise. And once again - about privacy and not security. Isn't the difference obvious? I can have all the security I want with encryption. But still no privacy. And if I store only `user_id` I don't even need any security. – x00 Jun 13 '20 at 13:57