> Not everybody has JS enabled (your content site shouldn't require it)
It is just as true that not everybody has cookies enabled.
> If using localStorage, users can write their own data. Depending on how you store data, this ranges from "not a problem at all" to "serious attack vector". At the least, it increases risk if an attacker gets XSS.
Users can write their own cookies as well: document.cookie = "whatever"; Users should have control to access and edit the data they are storing on their own devices.
> for e.g. auth, this is pretty bad.
Any data that is embedded in dynamically written HTML is fully available upon page load, so you don't need cookies or any other storage mechanism to solve that problem. You only need a way to send the data in the HTTP response.
> They are different technologies: localStorage & sessionStorage are not a full replacement for cookies.
They are a full replacement unless you lack confidence writing the necessary mechanisms in JavaScript that are typically left to Spring MVC for Java developers on the server.
If you don’t already have a valid session cookie name a cookie solution to first request authentication.
With a local storage solution I would embed a session hash in some dynamically written HTML or a response header that is then stored in localStorage and then on every subsequent page request in the current HTTPS session send back that session hash prepended with a salt in the https request header. Then it’s always on initial page request but only after the session is established by the server.
It is just as true that not everybody has cookies enabled.
> If using localStorage, users can write their own data. Depending on how you store data, this ranges from "not a problem at all" to "serious attack vector". At the least, it increases risk if an attacker gets XSS.
Users can write their own cookies as well: document.cookie = "whatever"; Users should have control to access and edit the data they are storing on their own devices.
> for e.g. auth, this is pretty bad.
Any data that is embedded in dynamically written HTML is fully available upon page load, so you don't need cookies or any other storage mechanism to solve that problem. You only need a way to send the data in the HTTP response.
> They are different technologies: localStorage & sessionStorage are not a full replacement for cookies.
They are a full replacement unless you lack confidence writing the necessary mechanisms in JavaScript that are typically left to Spring MVC for Java developers on the server.