InspectWP Logo
Glossary

What is localStorage and sessionStorage?

February 8, 2026

localStorage and sessionStorage are two mechanisms provided by the Web Storage API, a standard built into every modern browser. They let websites store key-value pairs directly in the visitor's browser, without involving the server on every page load. If you have ever toggled dark mode on a website and found that your preference was still there the next day, chances are the site saved that choice in localStorage.

How the Web Storage API Works

The Web Storage API is intentionally simple. You call localStorage.setItem('key', 'value') to write data, localStorage.getItem('key') to read it, and localStorage.removeItem('key') to delete it. sessionStorage uses the exact same methods. Both stores only accept strings, so objects are typically serialized with JSON.stringify() before being saved. There is no query language, no indexing, and no relational structure. It is a flat key-value store designed for quick, lightweight reads and writes.

localStorage vs sessionStorage: Key Differences

  • Persistence: localStorage data stays in the browser until the user or the site explicitly deletes it. There is no expiration date. sessionStorage data, on the other hand, is wiped the moment the browser tab is closed.
  • Scope across tabs: localStorage is shared between all tabs and windows that belong to the same origin (protocol + domain + port). sessionStorage is isolated to a single tab. If you open the same page in two tabs, each tab has its own sessionStorage.
  • Storage limits: Both typically offer 5 to 10 MB per origin, depending on the browser. Chrome and Firefox default to about 5 MB per origin for each store. Safari may be stricter, especially in private browsing mode, where it sometimes limits storage to as little as a few hundred kilobytes.
  • Network behavior: Neither localStorage nor sessionStorage is sent to the server with HTTP requests. This is the fundamental difference from cookies, which are attached to every request header automatically.

What WordPress Sites Commonly Store

WordPress plugins and themes use browser storage for a wide variety of purposes. Here are the most common ones:

  • Theme preferences: Dark mode toggles, sidebar collapsed/expanded state, font size choices. These are almost always stored in localStorage because they should survive a tab close.
  • Shopping cart data: WooCommerce and similar plugins sometimes cache cart fragments in localStorage to avoid extra server roundtrips when displaying the mini-cart in the header.
  • Form drafts: Contact form plugins may auto-save user input into sessionStorage so that a partially filled form is not lost if the user accidentally navigates away and then returns via the back button.
  • Cookie consent choices: Some consent banner plugins (like Complianz or CookieYes) store the visitor's consent state in localStorage rather than in a cookie, although using a cookie is more common.
  • Admin UI state: The WordPress admin dashboard itself uses both storage mechanisms. For example, it remembers which meta boxes are collapsed, which columns are visible in the post list, and whether the admin menu is folded.
  • Analytics and tracking buffers: Some analytics scripts batch events in localStorage and send them to the server in groups to reduce network requests.

Security Considerations

Web Storage is convenient, but it comes with real security trade-offs that developers need to understand.

  • XSS exposure: Any JavaScript running on the page can read localStorage and sessionStorage. If an attacker manages to inject a script through a cross-site scripting (XSS) vulnerability, they can extract every stored value. Cookies can be protected with the HttpOnly flag, which blocks JavaScript access entirely. There is no equivalent protection for Web Storage.
  • Same-origin policy: Storage is scoped to the origin, meaning https://example.com cannot read storage from https://other.com. However, any script on the same origin, including third-party scripts you load (analytics, ad networks, chat widgets), has full access to the same storage.
  • No encryption: Data is stored in plain text on disk. Anyone with physical access to the device, or malware running on the device, can read it. Never store passwords, tokens, or other sensitive credentials in Web Storage.
  • No server-side validation: Since the data lives only in the browser, a user or script can freely modify it. Never rely on Web Storage values for authorization or security decisions on the server.

GDPR and Privacy Implications

Under the GDPR and the ePrivacy Directive, localStorage and sessionStorage are treated the same way as cookies when it comes to consent requirements. The legal principle is technology-neutral: if you store or read information on a user's device for a purpose that is not strictly necessary for the service the user requested, you need consent. This means a WooCommerce cart stored in localStorage is likely "strictly necessary" and does not need consent. But an analytics ID stored in localStorage to track returning visitors absolutely does. Many site owners overlook this because cookie consent tools traditionally focus on cookies, but regulators have made it clear that the rules apply to all client-side storage technologies.

Web Storage vs Cookies: When to Use Which

  • Use cookies: when the server needs to read the value on every request (session IDs, authentication tokens), when you need HttpOnly protection against XSS, or when you need fine-grained expiration control.
  • Use localStorage: when you need to persist client-side preferences or cache data across sessions, the data does not need to travel to the server, and the data is not sensitive.
  • Use sessionStorage: when the data should only live for the duration of a single tab session, such as form wizard progress, temporary UI state, or one-time redirect tokens.

Performance Comparison

Reading from and writing to Web Storage is synchronous and happens on the main thread. For small amounts of data this is fast, usually under a millisecond. But if a page writes or reads large volumes of data on every interaction, it can cause jank. Cookies, by contrast, add overhead in a different way: they increase the size of every HTTP request header, which slows down every network call. For storing a handful of small values, both approaches perform well. For larger data sets (tens of KB or more), consider IndexedDB, which is asynchronous and does not block the main thread.

How to Inspect Storage in DevTools

Every major browser lets you inspect Web Storage. In Chrome, open DevTools (F12), go to the Application tab, and look for "Local Storage" and "Session Storage" in the left sidebar. You can see every key-value pair, edit values manually, and delete entries. Firefox has a similar panel under the Storage tab. This is the easiest way to see exactly what a WordPress site stores in your browser and to troubleshoot unexpected behavior.

What InspectWP Checks

InspectWP lists all localStorage and sessionStorage entries set by your WordPress site during the crawl. This gives you a clear picture of what your site stores client-side, which plugins are responsible, and whether any entries might raise privacy concerns under GDPR or ePrivacy rules.

Previous article

What are Heading Tags (H1-H6)?

Next article

What is the WordPress Gutenberg Editor?

Related Articles

What is a Web Application Firewall (WAF)?

What are Core Web Vitals?

What is WordPress Multisite?

View all articles

Check your WordPress site now

InspectWP analyzes your WordPress site for security issues, SEO problems, GDPR compliance, and performance — for free.

Analyze your site free