{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 时光不老,我们不散 的问题《Can localStorage be modified by a client?》','https://www.manongdao.com/q-382451.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I'm attempting to use localStorage as a cookie replacement (detest cookies) so users can stay signed in on a site I operate.
What I planned so far was to save the user's username in localStorage, and have the site check whether anything was in localStorage, and if anything is in localStorage, it'd push the localStorage data to a PHP file via POST and push the user to start a new PHP session and return them back to where they were.
Though I have the concern, I know localStorage can be viewed, in which case possibly encrypting the data server-side would make some sense.
But can LocalStorage data be modified? If not, this would be fine to do, even without encryption, but obviously if a user could modify the localStorage data, they would have access to others' accounts, which as you can imagine, isn't a good thing.
I had the doubt because JavaScript can be executed by a client in a browser, ie:
javascript:alert("hello");
Couldn't it be possible to find out the localStorage's var name and reset it's value like this?
javascript:localStorage.setItem('sessionusername','superadmin');
Basically, I ask: Can HTML5 Local Storage data be modified on client side?
Cheers, Karan :)
There are addons like e.g. Foundstone HTML5 Local Storage Explorer for Firefox, which permit users not only to browse
localStorageglobally, but also to modify its content:So I wouldn't trust on nobody having access to it or nobody can alter it. At least from the client, it is possible with ease. From another website, it might be more tricky, and certainly would involve a "security hole" as it's not the intended usage.
Update: Meanwhile, at least in Firefox, you don't even need any addon for that. Simply press Ctrl+Shift+I, select the Storage tab, and in the left-most column select Local Storage – where you can view and even edit the local storage for the site you've got in the foreground tab:
Local Storage browser built-in to Firefox (click image for larger variant)
Local storage is bound to the domain, so in regular case the user cannot change it on any other domain or on localhost.
It is also bound per user/browser, i.e. no third party has access to ones local storage.
Nevertheless local storage is in the end a file on the user's file system and may be hacked.