Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I naively assumed from the headline that the author would complain about users blocking cookies. I was very pleasantly surprised to see a post written by someone who appreciates that some users will want to do this and is actively working to support delivering them a useful content experience!


I assumed the same thing and was indeed happy when it turned out to be the better thing.


[flagged]


> Aside from that, what the heck is so important that folks need to cookie that can't be just tied to the session token in the backend?

literally any functionality that needs to persist state and you want to use offline and between reloads? See also Progressive Web Apps (PWAs).


Using a username and password, or saving a bookmark to the current page both work.


You can store the state in the URL, can you not? That used to be done anyhow.


I have written a web app that does this so you can share links which have the same state. You can't have that long of URLs actually - especially for some browsers.

Having to base64 encode most/all of it so you can safely use any kind of data makes it even worse.

My use case was very basic and I quickly hit limits that made it so I couldn't "persist" all of the data I wanted.


Er, you'd store the data in your DB of course and only a comparatively small, encrypted index to it in the URL. You wouldn't trust the client to "persist" the data anyhow.


The question was about storing state in the URL. You are referring to storing a session I’d in the URL. Quite different.


I really hope y'all are aware that URLs generally aren't treated as secret, but authenticated session state should be treated as secret.


I think the poster is referring to things like "offline Google Docs editing that can survive a browser shutdown or crash" which would be... difficult... to cram into a URL ;)


> what the heck is so important that folks need to cookie that can't be just tied to the session token in the backend?

Storing information on the client makes your site a lot more transparent about what it's keeping. If I have various user preferences in local storage you can tell that's what I'm doing and why, but if I just cookie you with an opaque token you have no idea what I'm tracking with that on the server.


While this can help, it needs to be done alongside network traffic analysis. If you type your name/phone number/address into (for example) a resume template, and you see that information stored in the local client, you don't know whether that information is also stored on the server.


Not disagreeing! This is primarily useful for sites that are trying to make it easy for their users to determine what's happening behind the scenes.


If there were a simple to examine and pick through localstorage, maybe. Of course if there were, localstorage would be intentionally obfuscated.


It's relatively straightforward. You open the console, type window.localStorage, and poke around. On the article I see:

    > window.localStorage
    Storage {dark-mode-toggle: 'light', cid: '2722...', length: 2}
Ignore the "length" (implementation detail) and you can see it's storing whether I've turned on dark mode and some id that's likely per-user. If I switch the page to dark mode I see instead:

    > window.localStorage
    Storage {dark-mode-toggle: 'dark', cid: '2722...', length: 2}


You could also just use the Storage tab in the devtools of your browser of choice, Chrome and Firefox at least both provide a GUI for looking at storage. Not sure what all Chrome's shows, but Firefox's shows Cache Storage, Cookies, IndexedDB, LocalStorage, and SessionStorage.


As someone working on a ticketing purchase flow, this is critical... can't exactly just turn people away! I was also surprised about localstorage throwing exceptions.


> can't exactly just turn people away!

Given that many cookie banners still (IMHO illegally, to be verified by courts) give the choices "accept tracking or fuck off" I guess you could. But it behoves you that you would assume it's a stupid idea. :)


I wasn't even using localstorage for tracking, it was for functionality.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: