[robgibbons]

In both cases (cookie vs localStorage) you're really just storing your data as a string value, not truly a JSON object, so whether you use a cookie or localStorage is more dependent on the use case.

If you only ever need the stored data on the client, localStorage is your pick. If you need to pass it back to the server with each request, cookies.

[recursive]

JSON is explicitly a string serialization format.

[robgibbons]

Right, I meant it's not a JavaScript object. It's serialized into a string in any case, no matter which API you're stuffing it into. So it's a bit of a non-sequitur for the parent to suggest that it's somehow weird to store JSON in a cookie, but not in localStorage. It's all just strings.

[MBCook]

I find it weird too. I’ve always considered cookies like very stupid key value stores.

It would never occur to me to put something more than a simple token in a cookie. A username, and email address, some opaque thing.

The idea of trying to use it for arbitrary strings just seems weird to my intuition, but I don’t really know why. Maybe just because when I was learning about them long ago I don’t remember seeing that in any of the examples.

[recursive]

My point is that there really is no such thing as "truly a JSON object".

[0x073]

Combine local storage with service worker, so you pass the data to the server if needed. Completely without setting cookies.

[withinboredom]

And if I don't want any javascript to see my values, ever? Or how do you handle CSRF?

[0x073]

Httponly cookie is the way, but then you just don't use json as cookie value that is send on every request.

Csrf is no problem as the data from service worker is only active on the site itself. If you speak about csrf with a website where you can't trust js, you're site is broken as xhr/fetch use the same httponly cookies and is affected as well.

[withinboredom]

Since when can you trust js?

[0x073]

Big websites use js and if they leak most of the time it's not a js issue.

I think the distrust of js is a personal issue.

[withinboredom]

I mean, anyone can open devtools and change the code to do whatever ... or install an extension that does it. So, since when can you guarantee that a browser client will actually do what you program it to do? In my experience, you can't guarantee anything on the client -- since forever. I was asking when/if that changed. I don't see why you would make that a personal attack?