javascripthtmlsession-storageweb-storage

Can user modify the values of variables stored in sessionStorage


I'm using client-side JavaScript to store some variables using Web Storage, more specifically, the sessionStorage.

But I'm not sure whether a user can simply modify the value of such variables in any way? If so, please provide an example of how this could happen.


Solution

  • Yes, users can always modify the values of their own storage. I can think of three ways right off the bat:

    What's important is that you don't trust client storage. If you're going to store session information on the client, then you need some way for your server-side code to verify that the information hasn't been tampered with. There are other reasons you may not want to store this information on the client side (privacy, for example), but assuming you've thought through those, you still need to make sure you either trust the client's data or that you make sure trust isn't necessary.