Expiration of sessionStorage

Question

I am building a form in which I have to store the data in HTML5's sessionStorage I don't know when the sessionStorage expires. Can anyone tell me about the expiration time of the sessionStorage?

score 97 · Accepted Answer · edited Oct 20 '21 at 03:12

97

It lives and dies with your browser session and is not shared between tabs. It doesn't expire automatically. So if you never close your browser it never expires.

So when the tab/window is closed the data is lost.

Each sessionstorage area is allowed 5MB of storage (in some browsers 10MB). Whereas cookies only allow 4kb (or more in some browsers). Cookies however have a set expiration date.

As Christophe wrote in the comments, localstorage never expires. It's also shared across tabs and is the same size as sessionstorage (5MB).

edited Oct 20 '21 at 03:12

ElsaKarami

624
1
4
14

answered Mar 02 '13 at 06:56

Peter Rasmussen

16,474
7
46
63

Yes. If you close your tab/browser, it expires. I have a feeling that this might be the root to your problems - and why you are asking the question. If you want it to live beyond the browser session, use a normal cookie. – Peter Rasmussen Mar 02 '13 at 06:59
2

Note that contrary to sessionStorage, localStorage doesn't expire when you close the browser. – Christophe Mar 02 '13 at 07:22
23

`sessionStorage` actually doesn't expire when you close the browser, it can span browser sessions. If you close the browser and save the tab or the browser crashes and you restore the tabs when you restart it, [it counts as the same session](http://dev.w3.org/html5/webstorage/#the-sessionstorage-attribute) Note the line _The lifetime of a browsing context can be unrelated to the lifetime of the actual user agent process itself, as the user agent may support resuming sessions after a restart._ – Useless Code Mar 02 '13 at 11:37
9

`sessionStorage` will also [survive a reload](https://developer.mozilla.org/en-US/docs/DOM/Storage#sessionStorage) if you refresh the page. – Useless Code Mar 02 '13 at 11:45
1

can we set time after which a sessionStorage removes a paticular key ? – vijay shanker Apr 15 '14 at 07:03
Not out of the box. But you can make your own implementation if you have the need for it. See this question for some answers on how to do that http://stackoverflow.com/questions/2326943/when-do-items-in-html5-local-storage-expire – Peter Rasmussen Apr 15 '14 at 07:19
7

It should be called tabStorage or windowStorage or something. Session is such a vague term. – Jake Wilson Jan 06 '16 at 21:39
1

Maybe sessionStorage can be shared between tabs if they are in same session. at least I tested in Chrome/Safari/Firefox. – LCB Nov 04 '16 at 15:12
1

Chrome has a setting called "Continue where you left off" which is enabled by default so it must be prevalent. With this setting in place, if you close the browser and open it again, Chrome will restore your tabs and the sessionStorage from your previous browsing session will still be active. – wadim Nov 23 '16 at 10:00
`sessionStorage` also survives "Reopen closed tab", so it doesn't delete data immediately after tab close. – Jamby Jul 21 '22 at 14:27

score 37 · Answer 2 · answered Jan 03 '17 at 12:16

I know this question is pretty old but I will post my answer if someone else stumbles upon this and finds it helpful. You can pretty much simulate sessionStorage or locaStorage expiration with something like this:

//In your login logic or whatever
var expires = new Date(year, month, day, hours, minutes, seconds, milliseconds);
var sessionObject = {
    expiresAt: expires,
    someOtherSessionData: {
        username: ''
    }
}
sessionStorage.setItem('sessionObject', JSON.stringify(sessionObject));

You can also encrypt this object by using something like http://bitwiseshiftleft.github.io/sjcl/ if you don't want this session object to be in clear.

On every page load you can check if the sessionStorage, or localStorage for that matter, is expired:

$(document).ready(function(){
    var currentDate = new Date();
    var sessionObject = JSON.parse(sessionStorage.getItem('sessionObject'));
    var expirationDate = sessionObject.expiresAt;
    if(Date.parse(currentDate) < Date.parse(expirationDate)) {
        //normal application behaviour => session is not expired
        var someAppVariable = sessionObject.someOtherSessionData.etc;
    } else {
        //redirect users to login page or whatever logic you have in your app 
        //and remove the sessionStorage because it will be set again by previous logic
        sessionStorage.removeItem('sessionObject');
        console.log('session expired');
    }
});

If you do not want users to be kept as logged in after the tab or browser closes use sessionStorage, otherwise you should use localStorage and manipulate it as you desire.

I hope someone will find this helpful.

This sounds like a login vulnerability to me. If someone opens developer tools, modifies the date, they'll have access. — AliAvci, Oct 31 '19 at 11:24
Such a person is accessing client side code, yes that is safe for someone to tinker , still the api will throw a 401 given the person doesnt have a valid token — Barungi Stephen, May 24 '21 at 12:55
@BarungiStephen Exaclty this works well for user experience because it would let the user know they no longer have an active session and may need to re-authenticate, instead of leaving the user in a limbo state — TheRealChx101, Feb 23 '23 at 22:24

score 22 · Answer 3 · answered Jan 10 '18 at 10:02

You can add some kind of expiration mechanism with something like this :

// get from session (if the value expired it is destroyed)
function sessionGet(key) {
  let stringValue = window.sessionStorage.getItem(key)
    if (stringValue !== null) {
      let value = JSON.parse(stringValue)
        let expirationDate = new Date(value.expirationDate)
        if (expirationDate > new Date()) {
          return value.value
        } else {
          window.sessionStorage.removeItem(key)
        }
    }
    return null
}

// add into session
function sessionSet(key, value, expirationInMin = 10) {
  let expirationDate = new Date(new Date().getTime() + (60000 * expirationInMin))
    let newValue = {
    value: value,
    expirationDate: expirationDate.toISOString()
  }
  window.sessionStorage.setItem(key, JSON.stringify(newValue))
}

score 1 · Answer 4 · answered Nov 02 '18 at 10:26

1

You can save expiration time in cookie. In every page loading read the cookie, if it's empty (means expired) then clear sessionstorage.

answered Nov 02 '18 at 10:26

danan

441
4
4

1

why not use sessionStorage itself? just store the creation date in a specific key. cookies dont yield any benefit over this - another technology youre polluting your site with – muzzletov Dec 03 '22 at 09:58

Expiration of sessionStorage

4 Answers4

Linked

Related