Original Post: Session Token Security: Local Storage vs. Cookies | by Florian Walter | Sep, 2024
In the ongoing debate among cybersecurity professionals about securely storing session tokens — in a cookie or Local Storage — the answer is nuanced. Traditionally, cookies with appropriate security flags like HttpOnly
and SameSite
are seen as safer due to their resilience against XSS attacks. However, the author, a Pentester, advocates for Local Storage, citing its ability to mitigate vulnerabilities such as CSRF, CORS, and authenticated XSS. Local Storage doesn’t automatically send tokens with requests, thereby reducing the risk of certain attacks. While cookies offer some protections, they can still be exploited by skilled attackers using XSS. The article ultimately suggests that, in practice, Local Storage may provide better overall security for session tokens.
Go here to read the Original Post