Cookies, sessionStorage, and localStorage all store data in the browser, but they differ in size limits, expiration, and how they are sent to the server. Security and expiration differ, so choose carefully; test storage limits and cross-tab behavior.
Describe the difference between a cookie, sessionStorage and localStorage in browsers
Quick Answer
Answer
The Core Idea
Browsers provide several ways to store data on the client side. The three most common are:
- Cookies – small pieces of data sent to and from the server.
- localStorage – stores data persistently in the browser.
- sessionStorage – stores data temporarily for one browser tab session.
Feature | Cookies | localStorage | sessionStorage |
|---|---|---|---|
Lifetime | Can have an expiration date or last until manually deleted | Persists indefinitely until cleared | Cleared when the tab or browser is closed |
Storage limit | ~4KB | ~5–10MB | ~5–10MB |
Accessible from JavaScript? | Yes (unless flagged HttpOnly) | Yes | Yes |
Automatically sent to server? | Yes — sent with every HTTP request to matching domain | No | No |
Primary use | Authentication, server sessions, user tracking | Client-side caching, preferences, offline data | Temporary state per tab (e.g., wizard steps) |
Shared between tabs? | Yes (same domain) | Yes (same domain) | No — per tab only |
Cookies
- Can be read by both the browser and the server.
- Often used for authentication tokens or session IDs.
- Sent automatically with requests to matching domains.
document.cookie = 'theme=dark; expires=Fri, 31 Dec 2025 23:59:59 GMT; path=/';localStorage
- Stores data persistently — it remains even after closing the browser.
- Only accessible through JavaScript (never sent to the server).
localStorage.setItem('theme', 'dark');
console.log(localStorage.getItem('theme')); // 'dark'sessionStorage
- Works just like localStorage but is limited to one tab.
- The data disappears when the tab is closed.
sessionStorage.setItem('tab', 'checkout');
console.log(sessionStorage.getItem('tab')); // 'checkout'Security Notes
- Never store sensitive data (like passwords or tokens) in localStorage or sessionStorage — they are easily accessible by JavaScript.
- For secure cookies, use the
HttpOnlyandSecureflags so they can’t be accessed via JavaScript and are only sent over HTTPS.
Practical scenario
You need to persist a theme preference and an auth flag, deciding between cookies and Web Storage based on security and lifetime.
Common pitfalls
- Storing sensitive tokens in
localStorage(XSS risk). - Forgetting cookies are sent with every request.
- Assuming
sessionStoragepersists across tabs.
Cookies are better for server auth; Web Storage is client-only. Test storage limits and SameSite settings.
Still so complicated?
Think of them like hotel storage options:
- Cookies: Front desk storage — accessible by staff (server) and you (browser).
- localStorage: Your personal locker — data stays even if you leave and come back later.
- sessionStorage: Your room table — data disappears when you check out (close the tab).
Summary
- Cookies: Small, server-aware, and often used for authentication.
- localStorage: Large, persistent, and purely client-side.
- sessionStorage: Temporary, tab-specific storage.
Choose based on how long the data should live and whether the server needs to read it.
Similar questions
Guides
Preparing for interviews?
Use the relevant interview-question hub first, then move into a concrete study plan before targeted company sets.