cookie vs localStorage vs sessionStorage
| Property | Cookie | localStorage | sessionStorage |
|---|---|---|---|
| Initiator | Client or server. Server can use Set-Cookie header | Client | Client |
| Expiry | Manually set | Forever | no |
| Persistent across browser sessions | Depends on whether expiration is set | yes | no |
| Sent to server with every HTTP request | Cookies are automatically being sent via Cookie header | no | no |
| Capacity (per domain) | 4kb | 5mb | 5mb |
| Access | any window | any window | same tab |
How to use
cookies:
- After the client browser sends the request for the first time, the server will add a
Set-Cookiein the header of the response and put the cookie into the response, and send it back to the user's browser, which will be stored locally on the client side. In addition, the cookie will be carried and sent back to the server when the user's browser sends a request next time.
localStorage and sessionStorage:
-
Both of them are stored on the user's browser in the way of key-value.
// store data in localStorage localStorage.setItem("memberName", "John"); // localStorage read data localStorage.getItem("memberName"); // sessionStorage stores data sessionStorage.setItem("memberName", "John"); // sessionStorage read data sessionStorage.getItem("memberName");
When to use which
cookies are automatically included in HTTP requests, so they are often used in scenarios where user identification is required.
Since the capacity of localStorage is much larger than that of cookies and it will not be easily deleted, it is relatively wide, such as cross-page data transfer, or data that needs to be stored for a long time.
sessionStorage is suitable for saving data that will be used for a single use because of its short life cycle, such as saving form data.
Lifecycle
cookies: You can use Expires to indicate the expiration time, or Max-Age to indicate the effective time length. If it is not set, the default is to expire after closing the browser.
localStorage: Unless it is manually deleted on the client side, or the program code is cleared, it will be stored permanently.
sessionStorage: It will be automatically cleared every time the page is closed or the browser is closed.
Stored data size
cookies: about 4KB.
localStorage and sessionStorage: about 5MB~10MB (depending on different browsers) detailed (opens in a new tab).
HTTP request
cookies: It will be attached in the HTTP header and sent with every request, so if it is used too much, it may cause performance issues.
localStorage and sessionStorage: They only exist in the client's browser and are not sent with every request.
Improving cookie security
Since cookies will be automatically sent with the HTTP request to the server, security issues need to be considered.
-
Secure: WithSecure, it ensures that only encrypted requests will be sent to the server when they are sent over the HTTPS protocol. -
HttpOnly: WithHttpOnly, you can avoid JavaScript Document.cookie method to getHttpOnly cookies,HttpOnly cookieswill only be sent to the server, this method can avoid cross-site scripting attacks (XSS).