Is it okay to store session id in localStorage?
httpOnly
cookies provide a layer of XSS defence that localStorage
does not provide:
httpOnly
cookies are not accessible from [potentially malicious] JS.localStorage
is accessible from JS.
Session IDs should be stored in httpOnly
secure
cookies.
It depends upon what you mean by "is it secure"?
localStorage
is about as secure as a non-path restricted cookie. From web pages, it can only be accessed by pages from the same domain. Zillions of sites store session ids in cookies which have about the same security restrictions as localStorage
.
Outside of web pages, neither localStorage
nor cookies are secure at all from access by other programs or even web debugging tools running on the same computer.