Here are a couple of links to web sites about web storage (including local
sessionStorage is similar to localStorage. The main difference is that data in sessionStorage is associated with a window or tab, and when that window or tab is closed the data in sessionStorage is deleted.
Here's a link to a web site that has more information about cookies:
This part of the course is not intended to be a comprehensive discussion of Internet security issues. In fact, it's not even close. But there are a few basic security issues that are worth mentioning, even if we can't look at security in depth.
Note that an HTML document can contain script tags that load JS from a different server than the server from which the HTML document was loaded. No matter what server the JS code is actually loaded from, for purposes of the same-origin policy the JS code is associated with the server from which the HTML document was loaded.
An origin (or server) is defined as the combination of the protocol (like http or https), the host name, and the port number.
You can read about the same-origin policy in this Wikipedia article: https://en.wikipedia.org/wiki/Same-origin_policy
The moral of the story is that no matter how much validation is done on the client side, it's no substitute for validating user data on the server side.
Computer users are notorious for choosing insecure passwords. A password that is a name, or is a dictionary word (any dictionary, not just English), or is short, can be cracked relatively easily.
There are two things you can to try to improve the security of passwords in your application:
diceware.com is an interesting web site that is all about choosing secure passwords.
SSL is a way of encrypting data sent from a client to a server (or vice versa, of course). It certainly improves security during data communication, but it does nothing to protect data before it is sent or after it arrives.
Certificates are used to identify servers and facilitate the use of public-key cryptography.
Bugs in any kind of computer application are annoying to the people who legitimately use the application. To intruders, however, bugs can represent golden opportunities. Any bug in a computer application be a security flaw that can allow intruders to break into a system.
One technique that intruders use to break into systems is to put in input values that a legitimate user wouldn't (intentionally) enter: Strings that are very long (hundreds or thousands of characters), strings that contain punctuation or other special characters (see the notes about sanitizing data above), negative or floating-point numbers where positive integers are expected, etc. Thorough testing can help uncover problems and improve security.
Software testing is not the only part of software engineering that is relevant to security, however. Creating a good design is also important from a security point of view.
Cookies can be useful for storing user log-in information so that a user only has to log in once and then can access any page in a web site. However, because of privacy issues, some users disable cookies. An alternative to cookies is the use of the PHP state mechanism which stores client information on the server. If cookies are enabled, PHP uses a cookie to store an id code that matches client sessions with data stored on the server. If cookies are not enabled, PHP appends the id code to the URL.
Chrome doesn't allow cookies in documents that are loaded from local files rather than from a web server. Some other browsers might also have issues working with cookies and local files.