Skip to content

Crucial Insights from Florian Walter on Session Token Security: Comparing Local Storage and Cookies

Original Post: Session Token Security: Local Storage vs. Cookies | by Florian Walter | Sep, 2024

In the ongoing debate among cybersecurity professionals about securely storing session tokens — in a cookie or Local Storage — the answer is nuanced. Traditionally, cookies with appropriate security flags like HttpOnly and SameSite are seen as safer due to their resilience against XSS attacks. However, the author, a Pentester, advocates for Local Storage, citing its ability to mitigate vulnerabilities such as CSRF, CORS, and authenticated XSS. Local Storage doesn’t automatically send tokens with requests, thereby reducing the risk of certain attacks. While cookies offer some protections, they can still be exploited by skilled attackers using XSS. The article ultimately suggests that, in practice, Local Storage may provide better overall security for session tokens.

Go here to read the Original Post

Leave a Reply

Your email address will not be published. Required fields are marked *