Web storage - introduction
Firstly there were cookies - small files that some websites use that are stored on your computer.
However people got wise to them, and rebelled against them, and browser developers gave users the ability to delete them.
Then came the Flash Player, and with it came a new form of storage, called Local Shared Objects - and browsers had no way to delete them, as they were not really anything to do with the browser and HTTP.
Nicknamed flash cookies, they remained below the radar for quite a while, but eventually the world found out about them, and rebelled again.
Only this time hysteria took over as it was claimed that there was no way to delete them - in fact they are just files, and can be deleted just like any other files using a file management programme.
I did a web page about them some time ago.
However Flash is coming to the end of its useful life, as HTML 5, the newest form of web communications protocol, has a built-in facility for audio and video streaming, so Flash is becoming redundant.
Now when HTML 5 was first developed, fairly logically, a new form of storage was developed, now known as Web Storage or Persistent Storage, and it was part of the HTML 5 specification.
However it has since grown wings, and is now a specification in its own right.
Web storage is supported on the more recent versions of browsers such IE 9 + 10 + 11, Firefox, Opera, Safari, and Chrome.
Somewhat unfortunately, you will also find some places refer to web storage as DOM storage - it is unfortunate because previously DOM had a completely different meaning, so it is a confusion factor.
Browser developers are being a bit cagey about web storage, they are tending to hide its existence, and make it a lot more difficult to delete the stored data, and to configure the browser so that no data gets stored on the user`s computer.
The technology of web storage
There are at least three kinds of web storage
- ⇒ local storage
- data in local storage is stored as a key / value pair
- data in local storage is stored on the hard drive
- this type of storage has no expiry date, so can live on your computer for ever
- the data in local storage is stored in the form of a string, and is insecure - it is not encrypted - so websites should not use it for security sensitive data - however that doesn`t mean that they will not do it
- ⇒ session storage
- data in session storage is stored in system memory - presumably that also includes the memory cache on disk
- this type of storage should cease to exist when the browser window or tab is closed
- ⇒ database storage
- data is stored in a database - I think that SQLite is the specified form
- I am not sure how many browsers currently support database storage, there is much less information on the web about database storage than there is for local storage and for session storage
- ⇒ global storage
- global storage is or was an intermediate form of web storage that few browsers supported
- effectively it was similar to local storage, and is now unlikely to be used
Local storage
Web storage allows for a much greater amount of data to be stored than was allowed by the original cookies, and by Flash cookies.
The original cookies could typically store 4096 bytes per cookie, but there was some variation across the different browsers.
Flash cookies could by default store something like 100kb`s of data, but Flash could ask the user for more.
Strictly speaking, the specification for web storage doesn`t specify how much data can be stored, however most browsers are configured to allow each domain to store 5Mb`s of data in local storage - I think that IE allows 10Mb`s per domain.
The Blackberry is even worse than that - it allows 25Mb`s of storage space per domain.
This is a lot of data - not only from the point of view of how much information a website can store on your computer, but it is also eating up the hard drive space.
In theory, the browser should not allow the data stored by one domain to be read by another domain.
However this is not foolproof - for a start, a rogue website can use DNS spoofing to make the browser think it is a different domain, and thereby get access to the data that is stored for that different domain.
In addition, the data in local storage is stored in files just like any other files, and so can be read by any other piece of software that can look inside files, and understands the coding used.
One of the significant differences between flash cookies and local storage is that with flash cookies it didn`t matter what browser you were using, the cookies were always stored in the same place on the hard drive - whereas with local storage each browser stores the data in local storage in a place and in a format which is only used by that browser.
So it is neccessary to find out where the data is stored, what format it is in, and what tools you can use to read the data, for each browser.
Session storage
I am not a 100% sure of this, but it looks as if the only limit on the amount of data that a website can store in session storage is the amount of available memory in the computer - so this could be several Gb`s of data.
There are a few websites that state quite clearly that session storage is only limited by the system storage capacity.
There are some comments on some forums about whether the amount of session storage is limited in any way - some people think it is.
Whilst I can find settings on browsers to control the amount of storage allowed for local storage, so far I have not found any settings that control the amount of memory that can be used for session storage.
So on balance it looks like there are no limits on the amount of data that can be stored in session storage apart from the total amount of storage available within the computer.
Now if the website developer does his/her job properly, then the website should include an instruction to clear the data from session storage - however I really don`t think you can rely on that.
In addition, it should get cleared at the end of the session with that website, however if the browser doesn`t do its job properly, it could be that system memory gets used up storing data that should have been deleted.
Early editions of Firefox were known for not releasing RAM when Firefox was shut down, so it does happen.
There is also the problem of what happens when the browser crashes - will the data in session storage still be there, or will it have been deleted - different browsers react differently, even different versions of the same browser can react differently.
One of the subsequent problems of session storage not being deleted is that the data is still there, and may be viewable by other websites, or even by other users at the same computer.
Web storage and JavaScript
I`m not into coding enough to say this with certainty, however it seems that a website needs to use JavaScript in order to use either session storage or local storage.
Certainly, JavaScript can be used to invoke web storage, and it is the most discussed method, but I`m not sure if it is the only way - it might also be possible to do it other ways, for example, through Java, although I`m not sure if that would still count as web storage.
So it is reasonable to suggest that if you switch off JavaScript in your browser, most websites can`t store data on your computer via web storage.
Of course, some websites will not work without JavaScript enabled, but a lot of websites use JavaScript to deliver loads of stuff you don`t need, and to run user tracking software - so there can be other advantages in switching off JavaScript.
Also, it is anyway a good idea to un-install Java from you computer if you don`t need it - some programmes do use Java, and so they will not work - but I haven`t ever found a website that needed Java - however you need to make your own decisions on that.
I reckon that most home users can live quite happily and more safely without Java on their computers.
Cloud storage
One of the more intriguing issues surrounding web storage is its possible association with cloud storage.
Cloud storage is of course a general term for data storage on remote internet servers - but there is nothing that says that your computer can`t also be a server.
There is nothing new in this - way back in Windows NT days, there were frequent viral/malware attacks that turned desktop and home pc`s into FTP servers, and they were used to store images - usually pornographic - which other computers could then access.
I don`t know if these type of attacks are still as common as they were, however web storage introduces a whole new way for unscrupulous websites to use your computer as a form of cloud storage.
They don`t even need to attack your computer - your browser is now allowing these websites to do this.
All the anti-virus and anti-malware software in the world will not find it - because they don`t need to attack your computer - the facility is just there, waiting to be used.
And yes, images can be stored in both local storage and in session storage using base64 encoding.
So it is theoretically possible.
Web storage and the law
There have been at least two European directives issued by the EU about websites storing data on computers - 2002/58/EC, and 2009/136/EC.
In the UK, the Information Commissioner`s Office is the government body responsible for ensuring compliance within the UK, and they have a document "Guidance on the rules on use of cookies and similar technologies" - v3, 2012.
From this it can be seen that the legislation applies to any form of data stored on users` computers - it doesn`t prevent the storage of data, but it does say that the users must be informed that the website wants to store data on their computers, and they should agree to it happening.
So any website - or perhaps that should be any website hosted or owned by someone within the UK - should advise you it wants to use web storage.
That seems well and good.
However, if you dig a little deeper, things are not so clear cut - because buried in the document is discussion about implied consent.
So if a website posts a message saying that some form of data storage is taking place, and the user continues to use the website, that could be taken as implied consent.
More insidious is the suggestion in the guidance document that if the browser is configured to allow web storage then a website may be entitled to regard the browser settings as implied consent.
As all browsers I have ever met have cookies and web storage enabled by default, then by not reconfiguring the browser settings, you have given your implied consent.
All of which suggests that within the UK, the Information Commissioner`s Office is paying lip service to the European legislation, whilst at the same time trying to negate it.
Evercookies
I don`t wish to cause any alarm and despondency, however when I was surfing around the internet looking for information on web storage, I came across a reference to "evercookies".
Now these are really fun - it appears that on the average MS Windows based computer using Internet Explorer as the browser, there are thirteen different places that a website can use to store data on your computer.
It is possible to write a JavaScript script that will use all thirteen of these places.
What is more, if the user subsequently deletes the data from up to twelve of these places, then the script can extract the data from the one remaining hiding hole, and put it back into the other twelve.
Be afraid, be very afraid !
website design by ron-t
website hosting by freevirtualservers.com
© 2024 Ron Turner
