⚖️ Comparison · Updated for 2026
localStorage / sessionStorage vs Cookies
Side-by-side comparison, when-to-use-each guide, and instant conversion. Reviewed for 2026.
Quick answer: LocalStorage: 5-10 MB, JavaScript-only, persists until cleared, never sent to server. Cookies: 4 KB, can be sent to server, can be HttpOnly/Secure, have expiry dates. Use localStorage for client-side preferences and state; use cookies for server-readable data and authentication tokens.
Decision guide — when to use which
Use localStorage / sessionStorage when…
User preferences, draft content, client-side caches, anything the server doesn't need.
Use Cookies when…
Authentication (HttpOnly), CSRF tokens, anything the server reads on every request.
📊 Side-by-side comparison
| Aspect | localStorage / sessionStorage | Cookies |
|---|---|---|
| Size limit | 5-10 MB | 4 KB |
| Sent with each request | No | Yes |
| JS access | Yes | Yes (unless HttpOnly) |
| Server access | No (client only) | Yes (every request) |
| Cross-domain | No | Possible (with proper config) |
Frequently asked
?
Why not use localStorage for auth tokens?
localStorage is readable by any JavaScript on the page — including injected XSS attacks. HttpOnly cookies can't be read by JS, so an XSS bug can't steal them. For auth, always use HttpOnly cookies, never localStorage.
?
What about IndexedDB?
IndexedDB is a much larger client-side database (~50% of free disk by default, often GB). Use it for substantial client-side data (offline apps, image caches). For simple key-value, localStorage is enough.
Reviewed for 2026. All conversion factors and historical references verified against official sources (ISO standards, government weights & measures legislation, IEC technical specifications). Built by a UK-based qualified primary teacher and FA Level 2 coach as part of 247QuickTools' free utility-tools project. We don't sell SEO links or accept paid placements in this content.