In a previous episode HTML5 session / local storage was discussed but the question now is, where is it stored internally in a browser? Follow-up question, is it safe?

In Firefox 54 / Windows10 the local storage can be found here (example):


A sqlite browser can be found at / (the 64bit windows.exe).  My webappsstore has a 50 MB size.  Curiously the so-called originKeys are based on the hostnames spelled in everse order. For example an entry of (a commercial supplier of tracking data) is listed as ten.dxrk.ndc.:http:80 with content kg = {“umr”:”KLgRA.03UAH!CJgBA.glQAH”} whatever that means.  no attempts are made to encrypt data.

No trace of sessionStorage however. This content is stored in Firefox’ memory and is erased the moment a tab or a browser closes.

The situation for Chrome (59) is similar: now the location is

C:\Users\rik\AppData\Local\Google\Chrome\User Data\Default\Local Storage

instead of a single sqlite file each host has it’s own little file. For orinoco.localhost a file is generated as http_orinoco.localhost_0.localstorage but it remains empty. As with Firefox In a typical entry no attempt is made to encrypt data.

A session storage directory  can also be found:

C:\Users\rik\AppData\Local\Google\Chrome\User Data\Default\Session Storage

It contains a bunch of files but the storage of actual data is not obvious.