Interview questions

Here are the interview questions along with their answers for Cookies, Local Storage, Session Storage, and Tokens (JWTs):

Basic Questions and Answers

1. What are cookies, and how do they work in web applications?

Answer: Cookies are small pieces of data stored on the client's browser. They are used to maintain state across different requests,
such as keeping a user logged in. Each time the browser makes a request to the server, the cookies associated with that domain are
sent along with the request.
2. Explain the difference between Local Storage and Session Storage.
Answer: Both Local Storage and Session Storage are web storage mechanisms available to JavaScript. Local Storage persists data
indefinitely until it's explicitly deleted, whereas Session Storage only persists data for the duration of a page session (i.e., until the
browser tab or window is closed).
3. What is a JSON Web Token (JWT)?
Answer: JWT is an open standard (RFC 7519) used for securely transmitting information between a client and server as a JSON
object. It is commonly used for authentication. JWTs consist of three parts: Header, Payload, and Signature.
4. How do cookies differ from Local Storage in terms of security and usage?
Answer: Cookies are sent with every HTTP request, making them suitable for server-side session management, while Local Storage
is only accessible via JavaScript. Cookies can be made more secure with flags like HttpOnly and Secure , whereas Local Storage
is vulnerable to XSS attacks.
5. Can you describe the lifecycle of a session using cookies?
Answer: A session cookie is created when a user logs in. It is sent with every request to the server until it expires or is deleted. The
session ends when the cookie expires (based on a set expiration time) or when the user logs out and the cookie is destroyed.
6. What are the security implications of storing JWTs in Local Storage?
Answer: Storing JWTs in Local Storage exposes them to XSS (Cross-Site Scripting) attacks, where malicious scripts could access
and steal the token. A better alternative is storing JWTs in cookies with HttpOnly and Secure flags enabled to prevent JavaScript
access and ensure they are sent only over HTTPS.
7. What is the maximum size of data you can store in cookies, Local Storage, and Session Storage?
Answer:
Cookies: 4KB.
Local Storage: 5-10MB (varies by browser).
Session Storage: 5-10MB (varies by browser).
8. How can you set an expiration for a cookie?
Answer: A cookie's expiration can be set by using the Expires or Max-Age attributes when creating the cookie. For example,
document.cookie = "name=value; expires=Fri, 31 Dec 2024 23:59:59 GMT" sets the cookie to expire on the specified date.

9. What are the benefits and drawbacks of using Session Storage over Local Storage?
Answer: Session Storage is ideal for storing data that only needs to persist for the duration of the browser session. It offers a
lightweight solution but lacks persistence across sessions, unlike Local Storage, which can store data indefinitely.

Advanced Questions and Answers

1. Explain the role of the HttpOnly and Secure flags in cookies.
Answer: The HttpOnly flag prevents JavaScript from accessing the cookie, mitigating XSS attacks. The Secure flag ensures that
the cookie is only sent over HTTPS connections, reducing the risk of man-in-the-middle attacks.
 2. In what scenarios would you prefer to store tokens in cookies over Local Storage or Session Storage?
Answer: Storing tokens in cookies is preferable when you need to protect the token from JavaScript access (using HttpOnly ) and
ensure it's automatically sent with each request to the server. This is ideal in scenarios where secure, server-based authentication is
required.
3. How do CSRF (Cross-Site Request Forgery) attacks relate to cookies, and how can you mitigate them?
Answer: CSRF attacks exploit the fact that cookies are sent with every request. An attacker can trick a user into making an
unintended request using their authenticated session. CSRF can be mitigated using anti-CSRF tokens, the SameSite cookie
attribute, and validating the origin or referer header.
4. How do you prevent XSS (Cross-Site Scripting) attacks when using Local Storage or Session Storage?
Answer: To prevent XSS attacks, ensure proper input validation and sanitization of user inputs to avoid injecting malicious scripts.
Additionally, use Content Security Policy (CSP) headers to restrict script execution from unauthorized sources.
5. Describe how a server can use cookies for user authentication.
Answer: Upon successful login, the server generates a session identifier or token and stores it in a cookie on the client. This cookie
is sent with every subsequent HTTP request, allowing the server to verify the session and authenticate the user.
6. What are the main components of a JWT, and how is it validated?
Answer: A JWT has three components: Header, Payload, and Signature. The Header typically contains the type of token and signing
algorithm. The Payload contains claims (user data). The Signature is created by encoding the header and payload with a secret or
private key. The server validates a JWT by checking the signature using the secret key.
7. Why should sensitive information not be stored in the JWT payload?
Answer: The payload of a JWT is encoded, not encrypted, meaning anyone with access to the token can read its contents. Sensitive
information should not be stored in the payload to avoid exposing it to potential attackers.
8. Can you explain the difference between a stateless session using JWT and a stateful session using cookies?
Answer: A stateless session using JWT stores all session data within the token, which is verified by the server on each request,
without storing session data on the server. In contrast, a stateful session with cookies involves the server storing session data, and
the client only holds a session ID in a cookie.
9. What are potential risks of storing JWTs in cookies, and how can they be mitigated?
Answer: If cookies aren't properly secured, they can be susceptible to CSRF attacks. This can be mitigated by using the SameSite ,
HttpOnly , and Secure flags in cookies and adding anti-CSRF tokens.

10. When would you invalidate a JWT, and how would you manage that on the server-side?
Answer: A JWT would need to be invalidated when the user logs out, the token expires, or there is suspicion of token theft. On the
server side, you can manage this by maintaining a token blacklist or using short token expiration times with refresh tokens.

Scenario-Based Questions and Answers

1. You're tasked with building a login system. How would you decide whether to store session information in cookies or use
JWTs?
Answer: If the system requires scalability and doesn't want to store session state on the server, using JWTs would be better since
they are stateless. If there's a need to secure the token from client-side scripts, store the JWT in a cookie with the HttpOnly flag.
2. A user complains that they are logged out every time they close their browser. Explain how Session Storage could be the
reason behind this issue.
Answer: Session Storage only persists data until the browser tab or window is closed, which could cause the user to lose session
data. Switching to Local Storage or cookies could solve this issue.
3. In a Single Page Application (SPA), where would you store user session data, and why?
Answer: Typically, a JWT is used and stored in Local Storage for ease of access by the SPA's JavaScript. However, for security
reasons, storing the token in a HttpOnly cookie is recommended to avoid XSS vulnerabilities.
4. Imagine you are developing a web app that requires persistent user data across sessions. What would you use—Local Storage
or cookies? Why?
Answer: Local Storage is suitable for storing non-sensitive data persistently, as it isn't sent with every HTTP request like cookies.
However, cookies would be better for server-side validation of the session state if the data is sensitive or used for authentication.
5. How would you implement secure authentication in a cross-origin setup using cookies?
Answer: For secure authentication in a cross-origin setup, ensure that the cookies have the SameSite=None , Secure , and
HttpOnly flags set. Also, configure CORS (Cross-Origin Resource Sharing) to allow credentials to be sent across origins.

These Q&A cover different levels of understanding and help prepare you for technical discussions in interviews. Let me know if you'd like
further details on any topic!