localStorage is very much fine and arguably superior to cookies for authentication tokens. First of all, once you have achieved JS execution on a target origin, you can send requests, open up malicious "login" prompts and generally control everything the user sees and does. The article mentions this, but plays it down with no good arguments.
Much more importantly however, is that the cookie standards are a mess! The complexity of cookie default behaviour, their flags, scopes, differences in their SOP (cookies ignore ports for example, so https://example.com:443 and https://example.com:8443 share their cookies) are huge. Research papers have been written in this. And don't even get started on differentials between browsing engines.
This huge complexity of cookies opens up a whole class of authentication attacks where bad (or just weirdly) configured cookies can be stolen cross origin.
localStorage on the other hand is practically impossible to get wrong.
Cookies also don't work on mobile, so you inevitably have to maintain 2 different login flows.
But they're still the superior choice for authN on the web, because if you want to, you CAN configure cookies to be secure. Yes, attackers can ride the session, but it's dependent on the user being on the tab and you being able to consistently execute JS. Client-side compromise (ie attacker controls the entire browser) is not feasible to defend against anyway.
The main issue with JWT+localStorage is you can actually execute one-off JS, exfiltrate the token and come back later. I've _never_ seen a well-executed JWT+localStorage implementation in 10 or so years, because teams inevitably realise they can't reliably revoke sessions (another advantage of cookies) and then start giving out long-lived access tokens but adding them to the database. Or some variation of that.
localStorage is not sent to the server when you request a document. So now you threw out the ability to do server-side rendering. This is only fine if you've got a application that always requires authentication, otherwise you risk server vs client mismatch, needless roundtrips, and DOM rewrites.
As an old guy reading this I had a lot of wtf moments during the setup. Then I laughed pretty hard when we eventually got to this line. Like there's a reason we invented cookies and all mature web frameworks use them for auth.
> Like there's a reason we invented cookies and all mature web frameworks use them for auth.
Cookie stealers, issues with third-party cookies and tracking... it's not like the past was a paradise, in fact, quite the opposite. Hell I 'member times when we had to append ?PHPSESSID=... to URLs. Cookies were a stopgap...
Cookies can be encrypted and signed and contain whatever information you want, not just some random token that has to be looked up in the database to be actually useful.
This is what aspnet core does by default if you enable cookie-based authentication. Gives you the best of both worlds.
smells a bit like AI, or AI helped article. Still, some points are explained quite clearly. Knew most of it, but still, some parts where a good reminder. I would always try to use bullet prooven framworks and NOT reinvent the wheel. Best way to go in 2026. There is simply too much angles of attack and knowing myself I would miss something.
> "Still, some points are explained quite clearly."
My experience with "AI" is that if you ask the right questions in the right way (and give it access to accurate information to build it's answers from) it's actually really good at explaining things "quite clearly".
If I use short-lived JWTs and localstorage, am I such a bad person? Are you truly increasing the blast radius?
Is there someone in another part of the world that would like hacking you only if you’re not using httpOnly cookies, happy to know that you used localstorage?
They use bots to promote their content to the front page and downvote any comments criticizing them. I observe this pattern consistently on this website.
localStorage is very much fine and arguably superior to cookies for authentication tokens. First of all, once you have achieved JS execution on a target origin, you can send requests, open up malicious "login" prompts and generally control everything the user sees and does. The article mentions this, but plays it down with no good arguments.
Much more importantly however, is that the cookie standards are a mess! The complexity of cookie default behaviour, their flags, scopes, differences in their SOP (cookies ignore ports for example, so https://example.com:443 and https://example.com:8443 share their cookies) are huge. Research papers have been written in this. And don't even get started on differentials between browsing engines.
This huge complexity of cookies opens up a whole class of authentication attacks where bad (or just weirdly) configured cookies can be stolen cross origin.
localStorage on the other hand is practically impossible to get wrong.
Cookies also don't work on mobile, so you inevitably have to maintain 2 different login flows.
But they're still the superior choice for authN on the web, because if you want to, you CAN configure cookies to be secure. Yes, attackers can ride the session, but it's dependent on the user being on the tab and you being able to consistently execute JS. Client-side compromise (ie attacker controls the entire browser) is not feasible to defend against anyway.
The main issue with JWT+localStorage is you can actually execute one-off JS, exfiltrate the token and come back later. I've _never_ seen a well-executed JWT+localStorage implementation in 10 or so years, because teams inevitably realise they can't reliably revoke sessions (another advantage of cookies) and then start giving out long-lived access tokens but adding them to the database. Or some variation of that.
localStorage is not sent to the server when you request a document. So now you threw out the ability to do server-side rendering. This is only fine if you've got a application that always requires authentication, otherwise you risk server vs client mismatch, needless roundtrips, and DOM rewrites.
> So the boring 2005 design wins.
As an old guy reading this I had a lot of wtf moments during the setup. Then I laughed pretty hard when we eventually got to this line. Like there's a reason we invented cookies and all mature web frameworks use them for auth.
> Like there's a reason we invented cookies and all mature web frameworks use them for auth.
Cookie stealers, issues with third-party cookies and tracking... it's not like the past was a paradise, in fact, quite the opposite. Hell I 'member times when we had to append ?PHPSESSID=... to URLs. Cookies were a stopgap...
Cookies can be encrypted and signed and contain whatever information you want, not just some random token that has to be looked up in the database to be actually useful.
This is what aspnet core does by default if you enable cookie-based authentication. Gives you the best of both worlds.
smells a bit like AI, or AI helped article. Still, some points are explained quite clearly. Knew most of it, but still, some parts where a good reminder. I would always try to use bullet prooven framworks and NOT reinvent the wheel. Best way to go in 2026. There is simply too much angles of attack and knowing myself I would miss something.
> "Still, some points are explained quite clearly."
My experience with "AI" is that if you ask the right questions in the right way (and give it access to accurate information to build it's answers from) it's actually really good at explaining things "quite clearly".
If I use short-lived JWTs and localstorage, am I such a bad person? Are you truly increasing the blast radius?
Is there someone in another part of the world that would like hacking you only if you’re not using httpOnly cookies, happy to know that you used localstorage?
Don't use JWTs for session auth, and don't outsource your articles to Claude.
I struggle to underdress why this slop content gets to the front page. It’s likely close to 100% ai made.
I really want this era of AI generated writing that reads so poorly to end. Or at least society should be ashamed of publishing this content.
They use bots to promote their content to the front page and downvote any comments criticizing them. I observe this pattern consistently on this website.
It was clear from the first ChatGPT release that the best application for LLMs is spam.
If the slop wasn't bad enough, halfway down the page you get a newsletter signup lightbox - the use of which ought to be a felony in my opinion.
[dead]