However, there are a few security considerations that should be evaluated before completely jumping on board with local storage.
XSS and Local Storage
A popular target of XSS attacks is the session identifier and possibly any sensitive data stored client side. Just like session IDs stored within cookies, a session id within local storage can be easily stolen by the attacker.
Example XSS to steal session ID from cookie
Example XSS to steal session ID from local storage
HTTPOnly and Local Storage
Notes for penetration testing:
Final Thoughts on Local Storage and Security
Proof of concept XSS with local storage:
Get a Local Storage Value via URL scriptlet
Set a Local Storage Value via URL scriptlet:
Set a Local Storage Value with JSON via URL scriptlet:
Get Number of Local Storage Objects via URL scriptlet:
Clearing all Local Storage associated with site:
1. Don't use local storage for session identifiers. Stick with cookies and use the HTTPOnly and Secure flags.
2. If cookies won't work for some reason, then use session storage which will be cleared when the user closes the browser window.
3. Be cautious with storing sensitive data in local storage. Just like any other client side storage options this data can be viewed and modified by the user.