Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Can user modify the values of variables stored in sessionStorage

Tags:

javascript

html

session-storage

web-storage

I'm using client-side JavaScript to store some variables using Web Storage, more specifically, the sessionStorage.

But I'm not sure whether a user can simply modify the value of such variables in any way? If so, please provide an example of how this could happen.

like image 203
skyork Avatar asked Feb 10 '13 18:02

skyork

People also ask

What should not be stored in session?

Things like Database Data such as User Rows should not be stored in the session and you should create a separate cache mechanism to do this for you. Save this answer.

What happens when sessionStorage is full?

The data is not stored and no existing data is overwritten. A QUOTA_EXCEEDED_ERR exception is thrown.

What is the main difference between localStorage and sessionStorage?

The difference between sessionStorage and localStorage is that localStorage data does not expire, whereas sessionStorage data is cleared when the page session ends. A unique page session gets created once a document is loaded in a browser tab. Page sessions are valid for only one tab at a time.

2 Answers

Yes, users can always modify the values of their own storage. I can think of three ways right off the bat:

  • use web browser console to run JS commands that modify storage
  • setup client-hosted site with client-specified DNS to run their own code that modifies storage
  • open the local storage files and manually edit them

What's important is that you don't trust client storage. If you're going to store session information on the client, then you need some way for your server-side code to verify that the information hasn't been tampered with. There are other reasons you may not want to store this information on the client side (privacy, for example), but assuming you've thought through those, you still need to make sure you either trust the client's data or that you make sure trust isn't necessary.

like image 138
hrunting Avatar answered Oct 10 '22 23:10

hrunting

Not exactly sure in your case, but as a rule sessions should always be handled server side and not client side. The one of the main points of sessions is to remove that data from the client side altogether for security reasons

like image 21
Tucker Avatar answered Oct 10 '22 23:10

Tucker
Sign in to Comment

Related questions

How to split javascript string into a max of 2 parts?
How can I launch and close jQuery Twitter Bootstrap Modal with a YouTube video?
JavaScript: access array with the same name as a variable? [duplicate]
Javascript: Comparing SINGLE Value Against MULTIPLE Values with OR Operands [duplicate]
Intercepting a Jquery AJAX request to insert additional variables?
How to focus opener window in Chrome?
Limit and Offset data results in AngularJS for Pagination
How do I make an execCommand change the font type for my wysiwyg?
Get number of elements in a JQuery Sortable list
How can i test samsung smart TV app?
JavaScript: Avoiding hardcoded keycodes [duplicate]
Custom case insensitive sort function that retains original casing?
SlickGrid Column Picker: Setting the default columns to display from a larger list
How to animate the drawing of a Curve with Canvas?
passing json data from servlet to jsp to js file
Passing values from javascript to code behind in ASP.NET
How do I check if an element is in the DOM using a jquery deferred object?
Three.js ambient light unexpected effect
Calling a function with same name in another JS file
Twitter Bootstrap: Accordion plugin collides with Modal

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!