Is it okay to store session id in localStorage?

httpOnly cookies provide a layer of XSS defence that localStorage does not provide:

  • httpOnly cookies are not accessible from [potentially malicious] JS.
  • localStorage is accessible from JS.

Session IDs should be stored in httpOnly secure cookies.


It depends upon what you mean by "is it secure"?

localStorage is about as secure as a non-path restricted cookie. From web pages, it can only be accessed by pages from the same domain. Zillions of sites store session ids in cookies which have about the same security restrictions as localStorage.

Outside of web pages, neither localStorage nor cookies are secure at all from access by other programs or even web debugging tools running on the same computer.