LocalStorage was a mistake...

preview_player
Показать описание
Keeping any sensitive information in LocalStorage is a pretty bad idea. It's great for things like user preferences, language settings, light/dark mode and other stuff your users are allowed to change. But for payment info or session ids, that's a NO from me dawg

-- my links
  1. Josh tried coding
  2. javascript
  3. local storage
  4. localstorage
  5. cookies
  6. localstorage vs cookies
Рекомендации по теме
LocalStorage was a 0:05:33

LocalStorage was a mistake...

JavaScript Cookies vs 0:14:28

JavaScript Cookies vs Local Storage vs Session Storage

Storing Objects with 0:06:58

Storing Objects with Local Storage in JavaScript

Why LocalStorage is 0:14:21

Why LocalStorage is Vulnerable to XSS (and cookies are too)

The Biggest Mistake 0:10:21

The Biggest Mistake Beginners Make When Web Scraping

I was backing 0:05:44

I was backing up my footage wrong | NAS vs. Local Storage

I Was Wrong 0:03:46

I Was Wrong - Local Storage does work on the Shortcuts Neural Network

Every JavaScript Developer 0:07:17

Every JavaScript Developer Has Made This Mistake With Functions

React Context & 0:10:40

React Context & Hooks Tutorial #21 - Adding Local Storage

How To Prevent 0:04:56

How To Prevent The Most Common Cross Site Scripting Attack

STOP using Cloud 0:08:44

STOP using Cloud Storage! Do this instead:

I Built a 0:17:37

I Built a NAS: One Year Later. EVERYTHING I Learned and the Mistakes

Solving a JavaScript 0:15:01

Solving a JavaScript crackme: JS SAFE 2.0 (web) - Google CTF 2018

Learn Custom Hooks 0:09:38

Learn Custom Hooks In 10 Minutes

Cache Systems Every 0:05:48

Cache Systems Every Developer Should Know

I spent two 0:12:17

I spent two days in my attic to avoid a camera subscription!

Intl.ListFormat Is A 0:00:57

Intl.ListFormat Is A Really Cool JavaScript Feature

JSON Web Token 0:06:30

JSON Web Token Hacking

MongoDB in 100 0:02:27

MongoDB in 100 Seconds

100 Firebase Tips, 0:24:31

100 Firebase Tips, Tricks, and Screw-ups

Authentication on the 0:37:05

Authentication on the Web (Sessions, Cookies, JWT, localStorage, and more)

Cloud Storage vs 0:05:57

Cloud Storage vs Online Backup vs Local Storage: Which one is best?

Are You Using 0:04:21

Are You Using Null And Undefined Wrong?

Hard Drive Full 0:06:55

Hard Drive Full but No Files in Windows 10

Комментарии
Автор

if someone can find a way to execute javascript on your app, then you are already screwed, doesn't matter if you token is in cookies or local storage

jaspreetmaan
Автор

josh you are making great videos but sometimes you are making videos with half baked knowledge which leads people wrong direction. Local storage data is only accessible within the same domain and protocol that created it, restricting its cross-domain usage. if your website is vulnarable to xss localstorage or cookie doesnt do much. Next time please search more about a topic before making video.

muratcemyalin
Автор

Your advice is like: Don't store your everyday jewelry in your house as if somebody finds as key under backdoors carpet he can steal them. Instead lock them in a bank cell and never take out of there.

LS and cookies are absolutely different things for different perposes. It's not a problem of LS that it can be accessed. If you need this data in the script you need to get it from somewhere and http-only cookies aren't for that.

QwDragon
Автор

I can understand the "not put sensible informations" in the LocalStorage, it apply to multiple scenario not only this one. Other than that the "LocalStorage was a mistake..." it's only a clickbait title.

theramenboy
Автор

Now he banned local storage. The channel should be renamed as "Josh is still figuring out Coding"

CookerSingh
Автор

I think your points are not really valid for calling out localStorage to be a mistake. It has flaws, but cookies also have flaws. In fact everything has flaws, because it's man-made.
If you're afraid that your app might be vulnerable to XSS attacks, then make your app more XSS proof rather than stop using localStorage. I mean XSS attacks can target a whole lot of different areas than just localStorage. The attacker has control over the whole JS part of the victim. They can do whatever JS is capable of doing, not just accessing localStorage or cookies.
In addition to making your app more XSS proof, you can also make your localStorage more secure by encrypting its data. In my opinion that might be overkill but if you're paranoid, sure, go ahead.

kapobajza
Автор

Sure, cookies are not vunerable to XSS, but they're vunerable to CSRF. And just like how CSRF can be circumvented using CSRF tokens, XSS can also be circumvented by using two tokens, one stored in local storage and one stored in a secure cookie (usually called access and refresh tokens though those specific names entail additional functionalities).

Also to clarify, document.cookie is a string that's the concatination of all the cookies stored. It's undefined in this example, but if you have multiple cookies, among which a few are secure (http only), document.cookie would be defined and will contain all the non-secure cookies.

parlor
Автор

xss attack doesn't need to steal your cookie, it can just steal your bank money by making requests using the cookie

hebid
Автор

for viewers: it's ok to use LS :)

krome
Автор

my god dude, learn how the web works. cookies do nothing for you if an attacker is in, he can make requests that pass along the cookie

bgdnsr
Автор

The solution to XSS is to sanitize your inputs and outputs, not to never use localStorage. If you're using a popular framework it's probably already sanitizing your outputs for you even. I feel like this video is mixing up a bunch of topics that don't necessarily need to be.. it comes across as a bit unfocused to me

David-gjdc
Автор

I hung my front door key from teh screen door, now someone has taken all my stuff. Don't use doors.

NuncNuncNuncNunc
Автор

Summary "USE COOKES" for private things

boi-kheko
Автор

josh u got me back into coding i use ur stuff day to day and i love how you structure your projects! thank you for all that you do

NateTron
Автор

This guy just thought he outsmarted W3C without even reading the specs first lol. Worst things script kiddies like this and that Theo guy are consumed by juniors who actually buy into it all, which is sad for the software industry.

marcusg
Автор

Who the fuck would ever save sensitive things in localstorage?

kekw
Автор

I just don't agree with this vdeo, and the topic just not for this channel, 99% of people watching ur content know what u talked about in this video

baetraki
Автор

Damn it. I wrote this massive comment that took 10min to write, on how ProtonMail uses encrypted local storage to make their email content searchable, only for YouTube to auto delete my comment. FKN hell.

Hobbitstomper
Автор

You are using localstorage in the wrong way. Save theme data there, what page the user is on, on a table. Localstorage was not a mistake what makes you think you are smarter than a whole corporation. They thought about long and hard.

bbfrancis
Автор

Local storage was not a mistake. It has its uses. Even cookies are not secure if you don't have the correct configuration. People should stop using local storage for what it is not meant for lol.

BlurryBit