Session Management across Subdomains: Localstorage vs Cookies

Aman Kumar
3 min readNov 1, 2020

--

Brief about localStorage

localStorage is a way to store data on the client’s computer. It allows the saving of key/value pairs in a web browser and it stores data with no expiration date. localStorage can only be accessed via JavaScript, and HTML5. However, the user has the ability to clear the browser data/cache to erase all localStorage data. Web storage can be viewed simplistically as an improvement on cookies, providing much greater storage capacity The available size is 5MB, which is more space to work with than a typical 4KB cookie. In addition with localStorage, the data is not sent back to the server for every HTTP request (HTML, images, JavaScript, CSS, etc.), which thus reduces the amount of traffic between client and server. Lastly, it works on same-origin policy, so the data stored will only be available on the same origin.

Use Case

Recently, at our organization Profilebud, we remodelled the user flow, what needed to do was a user has registered on payment.profilebud.com and then we wanted to redirect the user directly in our user dashboard at app.profilebud.com.

Way to Solution

In the above use case, we got blocked with localstorage. So, we have been using localstorage to set the user login token and to keep the user logged in. But that didn’t work out in the above use case.
That’s because localstorage doesn’t support sharing the storage across subdomains or even domain. Thus, if you have something stored at a.example.com it won’t be accessible from example.com or b.example.com.

Actually, this is a browser storage security issue, and in fact, none of LocalStorage/WebSQL/IndexedDB can be shared across subdomains. They are part of the “same-origin policy” which sandboxes data. This is to prevent malicious sites from e.g. malicious.geocities.com spying on data from another site like innocent.geocities.com.

So, unfortunately for use-cases like this storage across subdomains isn’t possible in any browser. Whereas traditional cookie session management can be scoped to multiple subdomains.

Cookies are pretty much a convenient way to carry information from one session on a website to another, or between sessions on related websites, without having to burden a server machine with massive amounts of data storage. If we were to store data on the server without using cookies, then it would be difficult to retrieve a particular user’s information without requiring a login on each visit to the website. Therefore, a cookie can simply be used if there is a large amount of information to store. In addition, a cookie can be made to persist for an arbitrary length of time.

Conclusion

Cookies and local storage serve different purposes. Cookies are mainly for reading server-side, whereas local storage can only be read by the client-side. Apart from saving data, a big technical difference is the size of data you can store, and as I mentioned earlier localStorage gives you more to work with.
In my use case, cookies are the right solution for session management because it can be scoped to multiple subdomains.

In any case, I don’t think localStorage is the right solution for session management.

Hope this helps :)

--

--