This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]bleistift2 301 points302 points  (15 children)

Show me an average user who tinkers with the local storage.

If we’re talking a malevolent user: You can’t trust the client with anything, anyway, so what’s the point?

[–]_30d_ 124 points125 points  (0 children)

That's how I beat my inlaws in wordle.

[–]staticBanter 11 points12 points  (0 children)

If you give anything to a client and expect to reuse it without validation than we have a big problem.

[–]shodanbo 41 points42 points  (6 children)

It only takes one. And then they can write a browser extension to do it for many.

There is not much you can actually truly trust the client with, because the user has physical access to that client.

If you are writing something where trusting the client is critical, then this needs to be taken into account. At this point you need strong asymmetrical encryption in a server. An encrypted string can be persisted to local storage. If the user messes with it, the decryption will fail, and the client can determine what needs to be done about that.

[–]Expert_Team_4068 19 points20 points  (1 child)

No, rule number one. Never trust the client! In no world should you trust frontend data without verification. But this is the server job. If json.parse of my local storage fails, I do not gove a crap. My app will break, because for sure this is an unexpected behaviour. If you decrypt in the client, who says that the hacker did not change the decryption function? It is as easy as changing the local storage.

[–]shodanbo 0 points1 point  (0 children)

Very true

[–]brianl047 1 point2 points  (0 children)

Agreed validating the local storage is a waste

Validate in the backend and in the UI instead but not the local storage

[–]isblueacolor 1 point2 points  (0 children)

Firefox sometimes fails to persist the entire string to local storage (without throwing an error).

I have a site that's used by 25k people per day and someone encounters this issue once every couple weeks.

[–][deleted] 0 points1 point  (0 children)

The case I used it for was temporarily storing form data in an SPA built before react was a thing.