Differences between cookies, sessionStorage, and localStorage
Websites sometimes store information inside the browser.
Keeping a login state. Remembering display settings. Keeping items in a cart. Restoring a previous screen or action. Identifying a return visit from the same browser.
Representative mechanisms used for this include cookies, sessionStorage, and localStorage.
They make the Web convenient. However, from the perspective of anonymity, they become clues for identifying the same browser.
What are cookies?
Cookies are small pieces of data that a website stores in the browser and that are sent to the server with requests that match certain conditions.
They are used for login state, session IDs, display settings, traffic analytics, advertising identification, and similar purposes.
For example, when you log in to a site, a cookie showing the session is stored in the browser. When you access the same site next time, that cookie is sent. The site can treat that browser session as logged in.
What matters for anonymity is that cookies remain even if you change your IP address.
After accessing from your home connection, even if you use a and access with the same browser, if the same cookie is sent, you are treated as the same browser.
What is sessionStorage?
sessionStorage is data temporarily stored per browser tab or window.
In general, it disappears when that tab is closed. It is used for partially completed form input, screen state, temporary action information, and similar purposes.
Unlike cookies, it is normally not sent automatically with each HTTP request. It is read and written from JavaScript and used for processing inside the page.
However, the fact that it is not sent to the server does not mean it is unrelated to anonymity. A web page's script can read it and send it to the server if needed.
What is localStorage?
localStorage is data stored in the browser for the long term.
It remains after closing a tab. It remains after restarting the browser. It may be used for site settings, themes, saved state, identifiers, and similar purposes.
It can store larger data than cookies and is handled from JavaScript.
For anonymity, watch for values left in localStorage being used to identify return visits.
Even if you delete cookies, if an identifier remains in localStorage, you may be treated as the same browser.
Differences between the three
Cookies, sessionStorage, and localStorage differ in storage period and how they are sent.
Item
Cookie
sessionStorage
localStorage
Storage period
Remains until the configured expiration
Until the tab or window is closed
In principle, remains without an expiration, but may be deleted depending on user actions, browser settings, private browsing, or how storage areas are handled
Sending to the server
Sent automatically if conditions match
Not sent automatically
Not sent automatically
Main uses
Login, sessions, analytics
Temporary screen state
Settings, saved state, identifiers
Anonymity caution
The same browser can be recognized even if the IP changes
Used in page processing
May remain after cookie deletion
All of them are information that remains inside the browser. For anonymity, looking only at cookies is not enough.
Situations that become problems for anonymity
The problem arises when real-name use and anonymous use mix in the same browser.
For example, using a browser that was logged in to a real-name account as-is for anonymous activity. Deleting only cookies while localStorage remains. Opening an anonymous site, then returning to a real-name service in the same tab or browser.
In this kind of use, information inside the browser gets mixed.
Situation
What happens
Using real-name and anonymous activity in the same browser
Cookies and stored information mix
Deleting only cookies
localStorage and similar storage remain
Doing anonymous activity while a logged-in site remains open
Behavior connects within the same environment
Using multiple accounts in the same browser
Account correlation becomes more likely
For anonymity, it is important not only to delete stored data, but also to separate environments.
Cookies, sessionStorage, and localStorage may be handled together as the same "site data." However, they are not stored or deleted in exactly the same way.
Even if you press "delete history" in the browser, depending on the selected items, only cookies, only cache, or only browsing history may be deleted, leaving part of the site data behind. Conversely, if you delete site data as a whole, login state and settings also disappear.
Action
Caution
Delete only browsing history
Cookies and localStorage may remain
Delete cookies
Other storage areas such as localStorage may remain
Delete site data
Login state and settings also disappear
Private window
Behavior differs from the existing normal browser environment
Browser sync
Information may return from another device
For anonymity, check the deletion scope so you avoid thinking something was deleted when it was not.
Separation is more important than deletion
Cookies and localStorage can be deleted. However, it is difficult to keep deleting them perfectly every time.
Storage locations differ by site. The deletion scope differs by browser setting. Extensions and sync features affect it. A new identifier is created the moment you log in.
For that reason, when protecting anonymity, it is more realistic to separate browsers for real-name use and anonymous use instead of relying only on deletion.
For high-risk activity, consider separating not only the browser but also the device, OS, and network environment.
Private browsing may also be useful as part of separation. However, a private window is not an anonymization technology. It is not a mechanism that completely hides you from websites, telecommunications providers, workplace or school networks, or destination servers.
A private window is mainly a feature for making it harder to leave history and cookies on the device. If you log in to a real-name account, that behavior connects to the account.
What to check
For stored information inside the browser, check the following.
Whether you are using the same browser for real-name use and anonymous use
Whether you are logging in to a real-name account in the browser for anonymous use
Whether you are checking all site data, not only cookies
Whether you are assuming localStorage and sessionStorage may remain
Whether browser sync is mixing information with other devices
Whether extensions hold stored information
Browser sync requires particular caution. If bookmarks, history, extensions, and saved passwords from a real-name environment enter an anonymous environment, separation breaks.
Summary
Cookies, sessionStorage, and localStorage are mechanisms websites use to store information inside the browser.
Cookies are sent automatically to the server if conditions match. sessionStorage is used for temporary storage per tab. localStorage is a long-term storage area.
They make the Web convenient, but for anonymity, they become clues for identifying the same browser.
Even if you change your IP address, if cookies or localStorage remain, you may be treated as the same browser.
To protect anonymity, it is important not only to delete stored information, but also to separate browser environments for real-name use and anonymous use.
Related tools
WebRTC Leak Test
BrowserLeaks WebRTC
An external resource related to this article. Open it only when it fits your situation and threat model.
Why it is listed: It can help with the article topic, but it is outside Anonymity Sense and should be checked before use.
Differences between cookies, sessionStorage, and localStorage
Cookies, sessionStorage, and localStorage store browser information in different ways and can identify the same browser even when the IP address changes.