Javascript - Avoid use of local storage on Catalog Client Scripts

Rule number

SN-0161

Impact

Session storage and local storage are HTML 5 features which allow developers to easily store megabytes of data client-side, as opposed to the 4Kb cookies can accommodate. While useful to speed applications up on the client side, it can be dangerous to store sensitive information this way because the data is not encrypted by default and any script on the page may access it.

Remediation

Avoid use of local storage in all client side code.

Time to fix

45 min

References

This rule is linked to Common Weakness Enumeration CWE-539 Information Exposure Through Persistent cookies.

Code examples

Code examples

Noncompliant code

localStorage.setItem("login", login); // NoncompliantsessionStorage.setItem("sessionId", sessionId); // Noncompliant

Compliant code

//Store sensitive data on the server side only.