Skip to content
July 12, 2026
  • Linkedin
  • Twitter
  • Facebook
  • Youtube

Daily CyberSecurity

Zero-hour alerts. Unmatched analysis.

Primary Menu
  • Home
  • CVE Data
    • CVE Watchtower
    • Top Exploited CVEs
    • CVE Stats by Vendor
    • Q2 2026 Report
  • Cyber Criminals
  • Data Leak
  • Linux
  • Malware
  • Vulnerability
  • Submit Press Release
  • Vulnerability Report
Light/Dark Button
  • Home
  • Technique
  • Talk about HTML5 local storage
  • Technique

Talk about HTML5 local storage

Do Son September 13, 2017 5 minutes read
HTML5 local storage

Browser Local Storage Overview

Introduction

cookie

A cookie is a data (usually encrypted) that some websites store on the user’s local terminal in order to identify the user’s identity and track the session.

webStorage

webStorage is one of the local storage solutions in HTML5, including sessionStorag and localStorage, the difference between the two differences in the life cycle.

websql and indexeddb

IndexedDB is a low-level API for the client to store large amounts of structured data. The API uses an index to achieve a high-performance search for the data. WebStorage is useful for storing less data, but it is not useful for storing a lot of structured data. IndexedDB provides a solution.

websql is the early storage standards, is no longer maintenance, steering indexeddb, but websql better compatibility. But indexeddb is the future, so the next main indexeddb

Four contrast

Types of Life cycle Storage size Communicate with the server Scopes scenes to be used
Cookie Generally generated by the server, you can set the expiration time, the default is to disable the browser after the failure 4k or so Can carry each time in the http header, but save too much data will bring performance problems You can set the primary domain name by .setDomain It is not recommended to store data in the cookie, if necessary, to store synchronization access to the page must be brought to the server information, such as the site user login information
localStorage Permanently saved unless cleared 5m or so Can only be stored on the browser side Subdomains are independent of each other Store some of the user status and data, ease the server pressure
sessionStorage Only the current tab page, close the browser or the new tab is empty 5m or so Can only be stored on the browser side Different tabs can not be shared It is recommended to store some of the current page refresh need to store, and do not need to leave the tab when the information left, according to this to determine whether the user to refresh, restore music video playback
indexeddb Permanently saved unless cleared A separate database does not have a size limit, but may limit the size of each Indexeddb database, such as Firefox in the user interface will only be stored for more than 50 MB size of the BLOB (binary large object) request permissions, the overall basic no size limit Can only be stored on the browser side Subdomains are independent of each other Offline application or webapp can consider using indexeddb or websql to access data

【Tip】 sessionStorage can only be shared under a tab, that is, if you open a page from the current tab page, sessionStorage data is empty. But if you restore the closed page, then chrome and firefox sessionStorage will be restored, but Safari will not.

webStorage and indexeddb compatibility

webStorage compatibility

Chrome Firefox IE Opera Safari
localStorage 4 3.5 8 10.50 4
sessionStorage 5 2 8 10.50 4

Basic browsers are supported

indexeddb compatibility

Chrome Firefox IE Opera Safari
Asynchronous API 12 [webkit] 16.0 (16.0) 4.0 (2.0) [moz] 10 【ms】 Not realized Not realized
Synchronization API Not realized Not realized Not realized Not realized Not realized

Currently poor compatibility

webStorage API

LocalStorage and sessionStorage usage are the same, the following show examples of the use of sessionStorage.

// Save the data to sessionStorage

sessionStorage.setItem ('key', 'value');
// Get data from sessionStorage
var data = sessionStorage.getItem ('key');
// remove the saved data from sessionStorage
sessionStorage.removeItem ('key');
// remove all saved data from sessionStorage
sessionStorage.clear ();
// enumerate sessionStorage methods
for (var i = 0; i <sessionStorage.length; i ++) {
var key = sessionStorage.key (i);
var value = sessionStorage.getItem (key);
}

Of course, you can also use the object to set the way to the assignment.

sessionStorage [ 'colorSetting' ] = '# a4509b' ;

sessionStorage.setItem ( 'colorSetting' , '# a4509b' );

However, the official proposal only use webStorage API (getItem, removeItem, key, length), to avoid the use of object key storage some of the defects, please click here for details

storage event

There are storage events for webStorage. When the storage changes, the storage event is triggered.
The condition here is that the data has changed, and if the current storage area is empty, even if the call to clear () will not trigger the event. Or if you set a value that is the same as the existing value by settingItem(), the event will not fire.

storage attribute

Attribute name description
key On behalf of the attribute name changes. When the clear () method is cleared after all the property name becomes null. Read only (read only).
newValue Newly added value. When executed by the clear () method or deleted by the attribute name, the value becomes null. Read only (read only).
oldValue The original value is changed to null by the clear () method or replaced by a new value. Read only.
storageArea The storage object being manipulated. Read only.
url key The URL of the document corresponding to the changed object. Read only.

The following describes the use of multi-tab page sessionStorage will use chestnuts.

The multi-tab page uses sessionStorage

In the recent use of vuejs write completely before and after the separation of the project, when doing login authentication, in the end how to store user authentication information.

Because the system security requirements are relatively high, requiring the user to close the tab when the session immediately expires, the use of cookies to save the sensitive token is not appropriate. If you use localstorage, the localstorage data is still there, and the requirements are not met.
Think only use sessionStorage.

But embarrassing is that the use of sessionStorage is no longer able to share more pages. Each time you open a new tab, it will jump to the login page, the user experience is not friendly.

In simple terms, if the new tab if there is no sessionStorage data, it will trigger a localstorage modify events, then in the existing label received this event, it will be the current page sessionStorage data stored in localstorage, but immediately Removed. But in the new tab will listen to the event, you can get to the sessionStorage data, which will ensure that the new tab page can also get sessionStorage, but also to ensure that localstorage does not exist token information.

 function () {

if (! sessionStorage.length) {
// If the current page does not have sessionStorage data, it triggers an event.
localStorage.setItem ( 'getSessionStorage' , Date .now ());
};
window .addEventListener ( 'storage' , function ( event ) {
//console.log('storage event ', event);
if (event.key == 'getSessionStorage' ) {
// already existing tab page After receiving the event, talk sessionStorage data to localstorage and remove it immediately.
localStorage.setItem ( 'sessionStorage' , JSON .stringify (sessionStorage));
localStorage.removeItem ( 'sessionStorage' );
} else if (event.key == 'sessionStorage' &&! sessionStorage.length) {
// The new tab will listen to the event here, through the newValue this property is stored in the localstorage sessionStorage data
var data = JSON .parse (event.newValue), value;
console .log (data, "111" );
for (key in data) {
sessionStorage.setItem (key, data [key]);
}
}
});

}) ();

IndexedDB

Usage is not as simple as sessionStorage, but the following two articles on the basic indexeddb usage are relatively clear. No extra finishing.

Share this article:

Facebook Post LinkedIn Telegram
Tags: HTML5 local storage

Search

Translation

CVE WATCHTOWER
🚨

Receive alerts for vulnerabilities being exploited in the wild.

⚡

Get notified instantly when a Proof of Concept (PoC) exploit is published.

🔍

Access critical info on vulnerabilities even when marked as "RESERVED".

🧠

Insights powered by decades of expertise and global intelligence sources.

🎯

Customize alerts with up to 10 keywords for your specific tech stack.

📊

Export the raw CVE database for SIEM integration and reporting.

Upgrade Package

🚨 Active Exploits in the Wild

  • CVE-2026-1207CVSS 5.4
    An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on...
    Admin intel📅 Updated: Jul 10, 2026
  • CVE-2026-48939CVSS 10.0
    A vulnerability in the iCagenda extension for Joomla allows the upload of arbitrary files in the file attachment...
    CISA KEV📅 Added to KEV: Jul 10, 2026
  • CVE-2026-56291CVSS 10.0
    The Joomla extension Balbooa Forms is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files...
    CISA KEV📅 Added to KEV: Jul 10, 2026
  • CVE-2026-55255CVSS 8.4
    Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.1, an Insecure Direct...
    CISA KEV📅 Added to KEV: Jul 7, 2026
  • CVE-2026-48908
    A vulnerability in SP Page Builder for Joomla allows unauthenticated users to upload arbitrary files, ultimately resulting in...
    CISA KEV📅 Added to KEV: Jul 7, 2026
  • CVE-2026-56290
    The Joomla extension Page Builder CK is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable...
    CISA KEV📅 Added to KEV: Jul 7, 2026
  • CVE-2026-20896CVSS 9.8
    Gitea Docker image: `REVERSE_PROXY_TRUSTED_PROXIES = *` default lets any source IP impersonate any user via `X-WEBAUTH-USER`
    Admin intel📅 Updated: Jul 6, 2026
  • CVE-2026-48282CVSS 10.0
    ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted...
    Admin intelCISA KEV📅 Added to KEV: Jul 7, 2026📅 Updated: Jul 3, 2026
Powered by CVE Watchtower

🔴 Live Critical Threats

  • CVE-2026-61447CVSS 10.0
    PraisonAI before 1.6.78 contains a remote code execution vulnerability in CodeAgent._execute_python() that...
  • CVE-2026-61445CVSS 9.9
    PraisonAI before 4.6.78 contains arbitrary file write and command execution vulnerabilities in...
  • CVE-2026-60090CVSS 9.8
    PraisonAI before 4.6.78 fails to validate the caller-controlled dimension argument in the...
  • CVE-2026-57827CVSS 10.0
    The Joomla extension RSFiles is vulnerable to an unauthenticated arbitrary file upload...
  • CVE-2026-57828CVSS 9.0
    The Joomla extension Phoca Downloads is vulnerable to an authenticated arbitrary file...
  • CVE-2026-14480CVSS 9.9
    OpenPLC Runtime v3 contains an authenticated arbitrary file write vulnerability in the...
  • CVE-2026-20744CVSS 9.8
    The charging station websocket endpoint accepts connections without proper authentication, which could...
  • CVE-2026-57807CVSS 9.8
    Authentication Bypass Using an Alternate Path or Channel vulnerability in miniOrange Security...
  • CVE-2026-55879CVSS 9.3
    OpenReplay is a self-hosted session replay suite. From 1.24.0 before 1.25.0, the...
  • CVE-2026-12761CVSS 9.8
    The miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for...
Powered by CVE WATCHTOWER

Our Websites
  • Penetration Testing Tools
  • The Daily Information Technology
  • Top Exploited CVEs
  • Daily CyberSecurity

    • About SecurityOnline.info
    • Advertise with us
    • Announcement
    • Contact
    • Contributor Register
    • Login
    • Disclaimer
    • DCMA
    • Privacy Policy
    • About SecurityOnline.info
    • Advertise on SecurityOnline.info
    • Contact Us

    When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works

    • CVE Watchtower
    • CVE Statistics by Vendor 2026
    • Q2 2026 Report
    • Top Exploited CVEs
    • Linkedin
    • Twitter
    • Facebook
    • Youtube
    © 2017 - 2026 Daily CyberSecurity. All Rights Reserved.