Skip to content Skip to sidebar Skip to footer
Home / Javascript / Php

Security - Sessions ( Default Use - Cookie ) Vs. Local Storage

Post a Comment
I'm not concerned with browser compatibility. I want to know if I move my state from PHP Controlled ( Server-Side) sessions to the JavaScript Controlled ( Client - Side ) HTML 5 lo

Solution 1:

I have a JavaScript solution I want to replace my PHP Sessions with.

No. Do not do it. Sessions are stored in the server side. The cookie that is sent out to the browser is typically an identifier for that record. Session stores user-specific data. Almost anything stored on the client side can be easily modified by the user. So if the user modifies the session to point to another user, the security would no longer hold.

LocalStorage is NOT for storing sessions. Stick with PHP sessions, or any other session mechanism that is implemented on the server side.

Update

But the same security flaw is present...a user can login as one person...fiddle with the session_id of the Session and become someone else...fiddling with a session_id...equates to fiddling with who you appear to be to the server ?...this would be the same as fiddling with an encrypted user_id in local_storage.

No. Suppose I figure out the algorithm you are encrypting with. And I know of another user say UserB. I encrpyted his username using that algorithm. If I somehow overwrite my localStorage with that encrypted string, I am him now. That is not much possible practically. Think of it as there are 100 users and 128 byte-string is the identifier. Are you sure you would be able to fiddle with it and modify it into another record which exists in the table of sessions?

Solution 2:

Local storage is best suited for data that you want to cache on the client in a (more permanent) way then with the regular browser cache. The only way it's "more secure" is if you want to allow the user to work with data that's never sent to the server.

If you're worried about session hijacking, the preferred solution would be to use https/ssl and encrypt all traffic between you and the client. There's a general overview of the problem and solutions on wikipedia (we'd need more information to give you anything much more specific than that, though).

Solution 3:

You wouldn't gain or lose security as in most browsers all data set by sites are stored in the same folder

You may like these posts

Post a Comment for "Security - Sessions ( Default Use - Cookie ) Vs. Local Storage"