How secure is HTML5 local Storage for a Mobile Device

3
votes

I'm looking to work around some performance issues on a mobile site by storing the data entered on multiple forms into the local Storage.

I will be clearing the data on load and clearing the data on the last page, so no sensitive data will be left on the device after they visit the website on their mobile device.

I do have a couple of concerns though:

  • Can another program access the data I store in local storage?
  • If the user doesn't complete the process can I place a expiration date on the data?
    Example: I want the data to expire in 30 minutes regardless if the user has finished the process, left the site, closed the browser
1
securityhtmlmobilelocal-storage

1 Answers

1
votes

Take a look at sessionStorage, which works similarly to localStorage but doesn't keep any data once a tab/window/browser is closed.

This would also be more secure than localStorage as no data would be kept once a session has ended. There is more details on security in the W3 Storage spec.

However if you're storing sensitive data I'd recommend cookies as data in sessionStorage and localStorage can be viewed and edited by the user and is potentially open to XSS attacks.