Auth Simulation

Compare insecure localStorage token storage vs secure httpOnly cookie simulation.

Try this:Log in with any test credential (e.g. admin / admin123)

Test Credentials

Login

Vulnerable

Token Storage Inspector

Insecure: localStorage
Accessible via localStorage.getItem()
No token in localStorage
Secure: httpOnly Cookie
JS cannot access document.cookie for httpOnly
Login in Secure Mode to see cookie simulation
What's happening

After login, the server issues a token (JWT) to identify the user. Where this token is stored determines how attackable it is. localStorage is synchronous and directly accessible via JavaScript.

Why it's vulnerable

Storing auth tokens in localStorage means any JavaScript on the page — including injected XSS payloads — can read them. An attacker with XSS can call localStorage.getItem() and exfiltrate your session token.

How it's fixed

Use httpOnly cookies for auth tokens. These are sent automatically with requests but are invisible to JavaScript. This completely blocks XSS-based token theft. Pair with Secure and SameSite=Strict cookie flags.

Real-world context

Many SPAs (React, Angular) mistakenly use localStorage for JWTs. High-profile breaches have used XSS to steal tokens from exactly this pattern. Auth0's documentation explicitly warns against it.

Security Log(0)

Monitoring runtime activity… waiting for events

Stream will begin shortly