What is the scope of localStorage and sessionStorage

So I'm reading an article about JWT token authentication and why it's a bad idea to store these tokens inside local or sessionStorage. Apparently it's because doing so exposes the token to any script inside the page.

This does not https://e-chats.com/omegle ring any bells for me https://echat.date. Does inside the page mean the browser window? Browser tab? Website domain?

rodrigo.pedra

4 years ago

Level 56

Does inside the page mean the browser window? Browser tab? Website domain?

Website domain.

The read-only sessionStorage property accesses a session Storage object for the current origin. sessionStorage is similar to localStorage; the difference is that while data in localStorage doesn't expire, data in sessionStorage is cleared when the page session ends.

reference: https://developer.mozilla.org/en-US/docs/Web/API/Window/sessionStorage

The localStorage read-only property of the window interface allows you to access a Storage object for the Document's origin;

localStorage is similar to sessionStorage, except that while localStorage data has no expiration time, sessionStorage data gets cleared when the page session ends — that is, when the page is closed. (localStorage data for a document loaded in a "private browsing" or "incognito" session is cleared when the last "private" tab is closed.)

reference: https://developer.mozilla.org/en-US/docs/Web/API/Window/localStorage

Any script running in the page (Google Analytics for example) can access both localStorage and sessionStorage.

If you are willing to use JWT for managing sessions, please read this article and its references at the end:

https://redis.com/blog/json-web-tokens-jwt-are-dangerous-for-user-sessions/