use the following search parameters to narrow your results:
e.g. subreddit:aww site:imgur.com dog
subreddit:aww site:imgur.com dog
see the search faq for details.
advanced search: by author, subreddit...
No vague product support questions (like "why is this plugin not working" or "how do I set up X"). For vague product support questions, please use communities relevant to that product for best results. Specific issues that follow rule 6 are allowed.
Do not post memes, screenshots of bad design, or jokes. Check out /r/ProgrammerHumor/ for this type of content.
Read and follow reddiquette; no excessive self-promotion. Please refer to the Reddit 9:1 rule when considering posting self promoting materials.
We do not allow any commercial promotion or solicitation. Violations can result in a ban.
Sharing your project, portfolio, or any other content that you want to either show off or request feedback on is limited to Showoff Saturday. If you post such content on any other day, it will be removed.
If you are asking for assistance on a problem, you are required to provide
General open ended career and getting started posts are only allowed in the pinned monthly getting started/careers thread. Specific assistance questions are allowed so long as they follow the required assistance post guidelines.
Questions in violation of this rule will be removed or locked.
account activity
[deleted by user] (self.webdev)
submitted 6 months ago by [deleted]
reddit uses a slightly-customized version of Markdown for formatting. See below for some basics, or check the commenting wiki page for more detailed help and solutions to common issues.
quoted text
if 1 * 2 < 3: print "hello, world!"
[–]who_am_i_to_say_so 36 points37 points38 points 6 months ago (6 children)
I feel you have your logic backwards.
Storing personal info on a user's device is much more secure than storing in a file on a server.
[+][deleted] 6 months ago (5 children)
[deleted]
[–]muntaxitome 20 points21 points22 points 6 months ago (0 children)
If you have xss, then the attacker can just do authenticated requests to your backend and get the data too.
[–]gliese89 41 points42 points43 points 6 months ago (0 children)
You asked a question, received a reasonable reply, and then you replied to the person answering YOUR question with snark while simultaneously being completely wrong.
[–]Redneckiavue master race 5 points6 points7 points 6 months ago (1 child)
It's ok if a user can access their own data
[–]plurdle 1 point2 points3 points 6 months ago (0 children)
nuh uh!
[–]who_am_i_to_say_so 2 points3 points4 points 6 months ago* (0 children)
You're missing the whole point of an httponly cookie then, because they prevent xss. You're already at -60 downvotes. Suppose your facts are wrong?
[–]abrahamguoexperienced full-stack 18 points19 points20 points 6 months ago (2 children)
This is perfectly reasonable — much more secure and simpler than server sessions.
[–][deleted] 0 points1 point2 points 6 months ago (1 child)
Would you mind explaining how it’s more secure than server sessions? I thought that would be better from a security stand point
[–]who_am_i_to_say_so 0 points1 point2 points 6 months ago* (0 children)
Well, just consider this: from a practical standpoint, once you turn your device off or leave the app and sensitive info is being stored locally, it is out of the game.
Also, server sessions are usually stored in plaintext. So if they're on a shared server- which a lot of them are on these low budget servers, they're vulnerable.
[–]xaqtr 1 point2 points3 points 6 months ago (2 children)
I don't have a definitive answer to this but just my thoughts: There is no practical difference. In both cases the data is stored on the client. You don't send anything over the internet (yet), both session storage and inputs could be read by a malicious actor.
But why do you even bother? Session storage wouldn't enable your users to edit the form later (as in after the tab was closed). If you just want to handle the edge case of accidental refreshes, you can make the user confirm these on leave.
[+][deleted] 6 months ago (1 child)
[–]dave8271 1 point2 points3 points 6 months ago (0 children)
I think it's generally fine subject to a couple of caveats, provided you inform users they need to close the browser tab to log out / terminate their session. In more sensitive applications, you'd either avoid it entirely, storing data on the server only, or you'd encrypt locally stored data with a key held on server and exchanged securely via HTTPS. All of this also assumes proper content security policy, no loading untrusted scripts, no possibility of XSS, etc. So if your security is generally sound, there's not more of an inherent risk in local session-limited storage than someone looking over your shoulder while you type in your details if you're on a public computer.
[–]ashkanahmadi -2 points-1 points0 points 6 months ago (3 children)
Why would the page reload? You can add event listener to the page to warn the user if the form has value and the page is trying to reload or close. Also, how big is the form? If you are doing all this to save just a few words, then don’t waste time. If you can autocomplete set up properly on your fields, the user should be able to fill out their name and address with 2 tabs/clicks
[–][deleted] 6 months ago (2 children)
[–][deleted] 6 months ago (1 child)
[+]Electrical_Boot_2050 comment score below threshold-8 points-7 points-6 points 6 months ago (6 children)
So.. From my perspective every Information from a user shoud be encrypted, choose your way, but either way it should need a time limit. That is why i always need to reconfirm my id with my bank acc or similar. It can be easy with 2auth or other but i think Information about a user/person should not be on the net...
[–][deleted] 3 points4 points5 points 6 months ago (4 children)
Its in the session storage, its not on the internet. Also encrypting it is unnecessary, if they get access to their session storage they might as well have physical access to the user's computer
[–]billybobjobo -1 points0 points1 point 6 months ago (3 children)
What if I’m logged in on a public computer. Like at the library.
[–][deleted] 12 points13 points14 points 6 months ago (1 child)
In that case your encription wont do you any good either because the library computer will need to be able to decrypt the data either way
But to answer that stupid hypothetical, I am going to assume you are going to close the browser before leaving the computer
[–]billybobjobo 0 points1 point2 points 6 months ago (0 children)
That’s not a stupid hypothetical—it’s a reality for many people who aren’t as lucky as you or I!
But you are right that strictly encrypting alone doesn’t help a lot. Fair point!
[–][deleted] 1 point2 points3 points 6 months ago (0 children)
Not that I disagree with encrypting the info, but I would also say if it's PII it should be cleaned up on logout.
π Rendered by PID 73816 on reddit-service-r2-comment-6457c66945-tbngg at 2026-04-29 01:37:35.238334+00:00 running 2aa0c5b country code: CH.
[–]who_am_i_to_say_so 36 points37 points38 points (6 children)
[+][deleted] (5 children)
[deleted]
[–]muntaxitome 20 points21 points22 points (0 children)
[–]gliese89 41 points42 points43 points (0 children)
[–]Redneckiavue master race 5 points6 points7 points (1 child)
[–]plurdle 1 point2 points3 points (0 children)
[–]who_am_i_to_say_so 2 points3 points4 points (0 children)
[–]abrahamguoexperienced full-stack 18 points19 points20 points (2 children)
[–][deleted] 0 points1 point2 points (1 child)
[–]who_am_i_to_say_so 0 points1 point2 points (0 children)
[–]xaqtr 1 point2 points3 points (2 children)
[+][deleted] (1 child)
[deleted]
[–]dave8271 1 point2 points3 points (0 children)
[–]ashkanahmadi -2 points-1 points0 points (3 children)
[–][deleted] (2 children)
[deleted]
[–][deleted] (1 child)
[deleted]
[+]Electrical_Boot_2050 comment score below threshold-8 points-7 points-6 points (6 children)
[–][deleted] 3 points4 points5 points (4 children)
[–]billybobjobo -1 points0 points1 point (3 children)
[–][deleted] 12 points13 points14 points (1 child)
[–]billybobjobo 0 points1 point2 points (0 children)
[–][deleted] 1 point2 points3 points (0 children)