Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can localStorage be modified by a client?

I'm attempting to use localStorage as a cookie replacement (detest cookies) so users can stay signed in on a site I operate.

What I planned so far was to save the user's username in localStorage, and have the site check whether anything was in localStorage, and if anything is in localStorage, it'd push the localStorage data to a PHP file via POST and push the user to start a new PHP session and return them back to where they were.

Though I have the concern, I know localStorage can be viewed, in which case possibly encrypting the data server-side would make some sense.

But can LocalStorage data be modified? If not, this would be fine to do, even without encryption, but obviously if a user could modify the localStorage data, they would have access to others' accounts, which as you can imagine, isn't a good thing.

I had the doubt because JavaScript can be executed by a client in a browser, ie:

javascript:alert("hello");

Couldn't it be possible to find out the localStorage's var name and reset it's value like this?

javascript:localStorage.setItem('sessionusername','superadmin');

Basically, I ask: Can HTML5 Local Storage data be modified on client side?

like image 648
unicornication Avatar asked Jun 28 '12 14:06

unicornication


People also ask

Can clients modify localStorage?

You have all the code written to test it in your OP. You should assume that any data held on the client could be altered with the right amount of skills and knowledge. If security is an issue, you should not base your application security around presistent storage or persistent cookies for that matter.

Is localStorage editable?

Once the information is stored in the client, it's always editable.

How do I change localStorage?

To replace local storage data for an already existing key with JavaScript, we can get the value with getItem , change the returned value, and then save it with setItem . We call setItem with the key and value to add an entry with key string and value 'foo' . Then we get the item with key string with getitem .

Can hackers access localStorage?

If an attacker can run JavaScript on your website, they can retrieve all the data you've stored in local storage and send it off to their own domain. This means anything sensitive you've got in local storage (like a user's session data) can be compromised.


3 Answers

Local storage is bound to the domain, so in regular case the user cannot change it on any other domain or on localhost.

It is also bound per user/browser, i.e. no third party has access to ones local storage.

Nevertheless local storage is in the end a file on the user's file system and may be hacked.

like image 94
Michael Besteck Avatar answered Oct 05 '22 23:10

Michael Besteck


There are addons like e.g. Foundstone HTML5 Local Storage Explorer for Firefox, which permit users not only to browse localStorage globally, but also to modify its content:

Local Storage Explorer

So I wouldn't trust on nobody having access to it or nobody can alter it. At least from the client, it is possible with ease. From another website, it might be more tricky, and certainly would involve a "security hole" as it's not the intended usage.

Update: Meanwhile, at least in Firefox, you don't even need any addon for that. Simply press Ctrl+Shift+I, select the Storage tab, and in the left-most column select Local Storage – where you can view and even edit the local storage for the site you've got in the foreground tab:

LocalStorage browser
Local Storage browser built-in to Firefox (click image for larger variant)

like image 35
Izzy Avatar answered Oct 05 '22 23:10

Izzy


Yes it can...

  1. Go to the website you wish to modify its localstorage.
  2. Enter your console (I press F12 in Chrome or Edge).
  3. Press the "Application" tab on top.
  4. Choose localstorage on the menu and then the website address underneath.
  5. Now you have a list of keys and values in front of you.
  6. Press the first blank line under them and enter any key on the left and any value on the right that you wish.
like image 37
Shem Avatar answered Oct 06 '22 00:10

Shem