getting too soon Google CDN cache eviction or bug - google-cloud-cdn

Im checking CDN hit/miss from cache, using same PC, same client address and requesting same URL:
***Scenario 1 Cache-Control 1day, 1month, 1 year:
-Hour 12:00
user1 Request URL it not found, cache filled.
-Hour 12:05
user1 Request URL found, cache HIT response.
-Hour 12:10
user1 Request URL not found, cache filled.
***Scenario 2 (using same internet gateway) Cache-Control 1day, 1month, 1 year
-Hour 12:00
At Building Organization User1 Request URL, Url not found but on second request cache hit
-Hour 12:01
At same Building Organization User2 Request same URL, and voila again Url not found but on second request cache hit
***Scenario 3 (using same internet gateway) Cache-Control 1day, 1month, 1 year
-Hour 12:00
At Building Organization User1 Request URL using Edge Browser, Url not found but on second request cache hit then same user on same PC, open Chrome or Firefox Request URL and voila again Url not found and cache again need to fill
Why cache out very soon even if cache-control set for 1day, 1month or 1year, or if use diferent browser? this is a bug?.

It's not a bug. In many metropolitan areas, Google Cloud CDN operates multiple caches. If you check the logs for the cache misses in your example, you will likely find the requests were served by distinct caches. You won't get cache hits from a particular cache until that cache has had a chance to cache the content.
cloud.google.com/cdn/docs/logging describes how to view log entries. In each log entry, the cacheId field identifies which cache served the response. Even once a response is cached, max-age and s-maxage specify only the maximum amount of time that response can be used. There's more information about expiration and eviction at cloud.google.com/cdn/docs/overview#eviction_and_expiration.

Cache modes 1 controls the factors that determine whether and how CDN caches your content. For example if you are using USE_ORIGIN_HEADERS as the cache mode then we should be looking at values mentioned against max-age and s-maxage mentioned in the response to check the TTL of the cached content. Since s-maxage overrides max-age, we shall look at the configured value for s-maxage. If we look at the best practices, it is advised to keep this value a bit large so that the content in the cache does not expire soon.
Also to maximise performance of Google CDNs, we need to increase the amount of incoming requests per url.
Now lets consider an example where a user is using a HTTPS load balancer with Cloud run endpoints in europe-west1. This means that request to certain URL can go to either endpoints in either zone: europe-west1-a/b/c. The request first reaches primary GFEs near to the user and then the secondary GFEs available in each zone if primary GFEs do not have the requested data in their cache.
Now a new request will hit the primary GFEs nearer to the user and the data will get cached in that GFEs cache after contacting the backend, provided no data related to the request was found in that GFEs cache. Now there is a high possibility that primary GFE used for the first request might not be used again for the second request. For data to be served from primary GFE's cache, the request should have entered all the primary GFEs nearer to the user. Scenarios wherein the data was not present in primary GFEs cache, the request goes to secondary GFEs available in the region. Let us say the second request went to secondary GFE and that did not have any data pertaining to that URL in its cache. In that case the request will go the backend. Now considering for the third request, a primary GFE chose another secondary GFE within a zone (not the one mentioned previously), which did not have entry, then again the request will go to the backend. Now there can be a scenario wherein the first few requests forwarded by primary GFE were to a different secondary GFEs everytime, which did not have data pertaining to that URL in their cache and all the requests had to be forwarded to the backend.
Also referring to your concern about hitting cache from same browser, this behaviour is intended because Google Cloud uses anycast virtual IPs to load balance CDN traffic (which also explains the behaviour mentioned in the example above). Some of the other CDN providers load balance at the DNS level so all requests goes to the same edge server.

Related

Google Drive API /files slow response

I want to ask for help/ideas on the issue I will describe below.
Our iOS app allows users to access their Google Drive files.
We use Changes API (https://developers.google.com/drive/api/v3/reference/changes). The main pre-condition to using this API is to build a local DB that holds the snapshot of the user's Drive file tree and the token. To initially fill the DB we must request the list of all files from user's Drive. Getting the list of all files (with metadata) takes too long for many of our users. This is the issue I want to address.
We request files with the series of Files requests (https://developers.google.com/drive/api/v3/reference/files/list). Most requests are plain files?q=trashed%20%3D%20false.
For example, at my own private Google Drive:
69K files
initial request of all files takes 5+ minutes with my current network speed (Download 527 Mbps, Upload 417 Mbps; ping www.googleapis.com – 40–45 ms)
~150 requests
each request brings information about ~460 files
each request takes around 2-2.5 seconds
Sometimes I observed requests to take up to 6 seconds, which means that getting all files list took 15 minutes at my account.
If I look at the Developer Console, the latency is below 0.1s
Many of our users have Drives far bigger than mine. Standard iOS app user's session is not long enough to complete the initial request. We do save every intermediate page token so that all data received during single app session is not lost if user leaves the app – next session we will keep downloading data from the last saved token. But still there're some cases when our app needs the DB to be filled out with data before starting some operations – in that case our users see "Pending..." progress and they complain that our app is slow.
So, questions:
is it possible to improve the described request speed/latency?
maybe there's some quota that we are missing and it can be changed?
maybe someone can advice a more effective way of getting all files list?
P.S. We could potentially reduce the amount of requests. We have to perform some double checks for Shared with Me folders as we observed that sometimes request of all files doesn't list all files from Shared folders. That's a bit of a side story, and I don't think this will dramatically improve situation for us. I can provide more details on the actual set of requests we perform if necessary.
Are you returning all the fields - I would assume so since the only query param provided is trashed=false as the query param. Do you need all the fields? Can you try to reduce the query to only return the fields you really care about (using a field mask) and see if that improves your performance?

AWS Cloudfront with Beanstalk origin - how to avoid redirect to origin

On one of my Beanstalk application Cloudfront redirects user to the origin, instead of caching.
Similar to AWS CloudFront with multiple S3 origins, or https://github.com/Wolox/tech-guides/blob/master/infrastructure/docs/aws/docs/cloudfront-eb-configuration.md.
I saw "The most important step is choosing Forward All, cache based on all in the Query String Forwarding and Caching option. When using an EB load balancer as origin, leaving this option on its None option will cause the distribution to redirect requests instead of caching them." suggestion, but Cloudfront behaviour page was updated, and I couldn't find relevant options anymore.
OK, it was simple - Cloudfront has to forward the Host header. I'm curious why it's not a default cache behavior.
From https://aws.amazon.com/premiumsupport/knowledge-center/configure-cloudfront-to-forward-headers/:
Under Cache key and origin requests, confirm that Legacy cache settings is selected. If it's not selected, then follow the steps in the preceding section to create a cache policy. If Legacy cache settings is selected, then complete the following:
For Headers, select Include the following headers.
From the Add header dropdown list, select Host.

Chrome DevTools - what does 'Queueing' means in the Timing tab?

In DevTools on the Timing tab you can see the following states:
_
Except 'Queueing' all states are explained in the DevTools documentation. Do you know what browser does in the Queueing phase ? What queue are we talking about ?
Thx
Additionally it seems that Queueing can take place at the beginning of connection setup and also at the beginning of the 'Request/Response' phase ?
From: Chrome Developers - Network features reference
Queuing
If a request is queued it indicated that:
The request was postponed by the rendering engine because it's considered lower priority than critical resources (such as scripts/styles). This often happens with images.
The request was put on hold to wait for an unavailable TCP socket that's about to free up.
The request was put on hold because the browser only allows six TCP connections per origin on HTTP 1.
Time spent making disk cache entries (typically very quick.)
Update from #cyptus comment:
With chrome v76 the network tabs will hide the CORS preflight (OPTIONS) request. The request that triggered this CORS will include the time the (invisible) OPTIONS request took in the queueing timing.
Update from #tamilsweet comment:
To show the CORS preflight follow Chrome not showing OPTIONS requests in Network tab
Another possibility may be there is a fresh service worker which is trying to install or activate. Keep the service worker url solid among your page visits.

What is the difference between localStorage, sessionStorage, session and cookies?

What are the technical pros and cons of localStorage, sessionStorage, session and cookies, and when would I use one over the other?
This is an extremely broad scope question, and a lot of the pros/cons will be contextual to the situation.
In all cases, these storage mechanisms will be specific to an individual browser on an individual computer/device. Any requirement to store data on an ongoing basis across sessions will need to involve your application server side - most likely using a database, but possibly XML or a text/CSV file.
localStorage, sessionStorage, and cookies are all client storage solutions. Session data is held on the server where it remains under your direct control.
localStorage and sessionStorage
localStorage and sessionStorage are relatively new APIs (meaning, not all legacy browsers will support them) and are near identical (both in APIs and capabilities) with the sole exception of persistence. sessionStorage (as the name suggests) is only available for the duration of the browser session (and is deleted when the tab or window is closed) - it does, however, survive page reloads (source DOM Storage guide - Mozilla Developer Network).
Clearly, if the data you are storing needs to be available on an ongoing basis then localStorage is preferable to sessionStorage - although you should note both can be cleared by the user so you should not rely on the continuing existence of data in either case.
localStorage and sessionStorage are perfect for persisting non-sensitive data needed within client scripts between pages (for example: preferences, scores in games). The data stored in localStorage and sessionStorage can easily be read or changed from within the client/browser so should not be relied upon for storage of sensitive or security-related data within applications.
Cookies
This is also true for cookies, these can be trivially tampered with by the user, and data can also be read from them in plain text - so if you are wanting to store sensitive data then the session is really your only option. If you are not using SSL, cookie information can also be intercepted in transit, especially on an open wifi.
On the positive side cookies can have a degree of protection applied from security risks like Cross-Site Scripting (XSS)/Script injection by setting an HTTP only flag which means modern (supporting) browsers will prevent access to the cookies and values from JavaScript (this will also prevent your own, legitimate, JavaScript from accessing them). This is especially important with authentication cookies, which are used to store a token containing details of the user who is logged on - if you have a copy of that cookie then for all intents and purposes you become that user as far as the web application is concerned, and have the same access to data and functionality the user has.
As cookies are used for authentication purposes and persistence of user data, all cookies valid for a page are sent from the browser to the server for every request to the same domain - this includes the original page request, any subsequent Ajax requests, all images, stylesheets, scripts, and fonts. For this reason, cookies should not be used to store large amounts of information. The browser may also impose limits on the size of information that can be stored in cookies. Typically cookies are used to store identifying tokens for authentication, session, and advertising tracking. The tokens are typically not human readable information in and of themselves, but encrypted identifiers linked to your application or database.
localStorage vs. sessionStorage vs. Cookies
In terms of capabilities, cookies, sessionStorage, and localStorage only allow you to store strings - it is possible to implicitly convert primitive values when setting (these will need to be converted back to use them as their type after reading) but not Objects or Arrays (it is possible to JSON serialise them to store them using the APIs). Session storage will generally allow you to store any primitives or objects supported by your Server Side language/framework.
Client-side vs. Server-side
As HTTP is a stateless protocol - web applications have no way of identifying a user from previous visits on returning to the web site - session data usually relies on a cookie token to identify the user for repeat visits (although rarely URL parameters may be used for the same purpose). Data will usually have a sliding expiry time (renewed each time the user visits), and depending on your server/framework data will either be stored in-process (meaning data will be lost if the web server crashes or is restarted) or externally in a state server or database. This is also necessary when using a web-farm (more than one server for a given website).
As session data is completely controlled by your application (server side) it is the best place for anything sensitive or secure in nature.
The obvious disadvantage of server-side data is scalability - server resources are required for each user for the duration of the session, and that any data needed client side must be sent with each request. As the server has no way of knowing if a user navigates to another site or closes their browser, session data must expire after a given time to avoid all server resources being taken up by abandoned sessions. When using session data you should, therefore, be aware of the possibility that data will have expired and been lost, especially on pages with long forms. It will also be lost if the user deletes their cookies or switches browsers/devices.
Some web frameworks/developers use hidden HTML inputs to persist data from one page of a form to another to avoid session expiration.
localStorage, sessionStorage, and cookies are all subject to "same-origin" rules which means browsers should prevent access to the data except the domain that set the information to start with.
For further reading on client storage technologies see Dive Into Html 5.
LocalStorage
Pros:
Web storage can be viewed simplistically as an improvement on cookies, providing much greater storage capacity. If you look at the Mozilla source code we can see that 5120KB (5MB which equals 2.5 Million chars on Chrome) is the default storage size for an entire domain. This gives you considerably more space to work with than a typical 4KB cookie.
The data is not sent back to the server for every HTTP request (HTML, images, JavaScript, CSS, etc) - reducing the amount of traffic between client and server.
The data stored in localStorage persists until explicitly deleted. Changes made are saved and available for all current and future visits to the site.
Cons:
It works on same-origin policy. So, data stored will only be available on the same origin.
Cookies
Pros:
Compared to others, there's nothing AFAIK.
Cons:
The 4K limit is for the entire cookie, including name, value, expiry date etc. To support most browsers, keep the name under 4000 bytes, and the overall cookie size under 4093 bytes.
The data is sent back to the server for every HTTP request (HTML, images, JavaScript, CSS, etc) - increasing the amount of traffic between client and server.
Typically, the following are allowed:
300 cookies in total
4096 bytes per cookie
20 cookies per domain
81920 bytes per domain(Given 20 cookies of max size 4096 = 81920 bytes.)
sessionStorage
Pros:
It is similar to localStorage.
The data is not persistent i.e. data is only available per window (or tab in browsers like Chrome and Firefox). Data is only available during the page session. Changes made are saved and available for the current page, as well as future visits to the site on the same tab/window. Once the tab/window is closed, the data is deleted.
Cons:
The data is available only inside the window/tab in which it was set.
Like localStorage, it works on same-origin policy. So, data stored will only be available on the same origin.
Checkout across-tabs - how to facilitate easy communication between cross-origin browser tabs.
OK, LocalStorage as it's called it's local storage for your browsers, it can save up to 10MB, SessionStorage does the same, but as it's name saying, it's session based and will be deleted after closing your browser, also can save less than LocalStorage, like up to 5MB, but Cookies are very tiny data storing in your browser, that can save up 4KB and can be accessed through server or browser both...
I also created the image below to show the differences at a glance:
here is a quick review and with a simple and quick understanding
from instructor Beau Carnes from freecodecamp
These are properties of 'window' object in JavaScript, just like document is one of a property of window object which holds DOM objects.
Session Storage property maintains a separate storage area for each given origin that's available for the duration of the page session i.e as long as the browser is open, including page reloads and restores.
Local Storage does the same thing, but persists even when the browser is closed and reopened.
You can set and retrieve stored data as follows:
sessionStorage.setItem('key', 'value');
var data = sessionStorage.getItem('key');
Similarly for localStorage.
Exact use case -
If you want your page to always hold some data that is not confidential, then you can use localStorage.
If the server needs to know some information like authentication keys, you should use cookies to store them.
sessionStorage can be used to store the state of the interface, i.e., whenever you visit a page, customize it, visit another page and return to the same page, you would want to show the page how the user customized it. That’s a good use case for sessionStorage.
The Web Storage API provides mechanisms by which browsers can securely store key/value pairs, in a much more intuitive fashion than using cookies.
The Web Storage API extends the Window object with two new properties — Window.sessionStorage and Window.localStorage. — invoking one of these will create an instance of the Storage object, through which data items can be set, retrieved, and removed. A different Storage object is used for the sessionStorage and localStorage for each origin (domain).
Storage objects are simple key-value stores, similar to objects, but they stay intact through page loads.
localStorage.colorSetting = '#a4509b';
localStorage['colorSetting'] = '#a4509b';
localStorage.setItem('colorSetting', '#a4509b');
The keys and the values are always strings. To store any type convert it to String and then store it. It's always recommended to use Storage interface methods.
var testObject = { 'one': 1, 'two': 2, 'three': 3 };
// Put the object into storage
localStorage.setItem('testObject', JSON.stringify(testObject));
// Retrieve the object from storage
var retrievedObject = localStorage.getItem('testObject');
console.log('Converting String to Object: ', JSON.parse(retrievedObject));
The two mechanisms within Web Storage are as follows:
sessionStorage maintains a separate storage area for each given originSame-origin policy that's available for the duration of the page session (as long as the browser is open, including page reloads and restores).
localStorage does the same thing, but persists even when the browser is closed and reopened.
Storage « Local storage writes the data to the disk, while session storage writes the data to the memory only. Any data written to the session storage is purged when your app exits.
The maximum storage available is different per browser, but most browsers have implemented at least the w3c recommended maximum storage limit of 5MB.
+----------------+--------+---------+-----------+--------+
| | Chrome | Firefox | Safari | IE |
+----------------+--------+---------+-----------+--------+
| LocalStorage | 10MB | 10MB | 5MB | 10MB |
+----------------+--------+---------+-----------+--------+
| SessionStorage | 10MB | 10MB | Unlimited | 10MB |
+----------------+--------+---------+-----------+--------+
Always catch LocalStorage security and quota exceeded errors
QuotaExceededError: When storage limits exceeds on this function window.sessionStorage.setItem(key, value);, it throws a "QuotaExceededError" DOMException exception if the new value couldn't be set. (Setting could fail if, e.g., the user has disabled storage for the site, or if the quota has been exceeded.)
DOMException.QUOTA_EXCEEDED_ERR is 22, example fiddle.
SecurityError : Uncaught SecurityError: Access to 'localStorage' is denied for this document.
CHROME:-Privacy and security « Content settings « Cookies « Block third-party cookies.
StorageEvent « The storage event is fired on a document's Window object when a storage area changes. When a user agent is to send a storage notification for a Document, the user agent must queue a task to fire an event named storage at the Document object's Window object, using StorageEvent.
Note: For a real world example, see Web Storage Demo. check out the source code
Listen to the storage event on dom/Window to catch changes in the storage. fiddle.
Cookies (web cookie, browser cookie) Cookies are data, stored in small text files as name-value pairs, on your computer.
JavaScript access using Document.cookie
New cookies can also be created via JavaScript using the Document.cookie property, and if the HttpOnly flag is not set, existing cookies can be accessed from JavaScript as well.
document.cookie = "yummy_cookie=choco";
document.cookie = "tasty_cookie=strawberry";
console.log(document.cookie);
// logs "yummy_cookie=choco; tasty_cookie=strawberry"
Secure and HttpOnly cookies HTTP State Management Mechanism
Cookies are often used in web application to identify a user and their authenticated session
When receiving an HTTP request, a server can send a Set-Cookie header with the response. The cookie is usually stored by the browser, and then the cookie is sent with requests made to the same server inside a Cookie HTTP header.
Set-Cookie: <cookie-name>=<cookie-value>
Set-Cookie: <cookie-name>=<cookie-value>; Expires=<date>
Session cookies will get removed when the client is shut down. They don't specify the Expires or Max-Age directives.
Set-Cookie: sessionid=38afes7a8; HttpOnly; Path=/
Permanent cookies expire at a specific date (Expires) or after a specific length of time (Max-Age).
Set-Cookie: id=a3fWa; Expires=Wed, 21 Oct 2015 07:28:00 GMT; Secure; HttpOnly
The Cookie HTTP request header contains stored HTTP cookies previously sent by the server with the Set-Cookie header. HTTP-only cookies aren't accessible via JavaScript through the Document.cookie property, the XMLHttpRequest and Request APIs to mitigate attacks against cross-site scripting (XSS).
Cookies are mainly used for three purposes:
Session management « Logins, shopping carts, game scores, or anything else the server should remember
Personalization « User preferences, themes, and other settings
Tracking (Recording and analyzing user behavior) « Cookies have a domain associated to them. If this domain is the same as the domain of the page you are on, the cookies is said to be a first-party cookie. If the domain is different, it is said to be a third-party cookie. While first-party cookies are sent only to the server setting them, a web page may contain images or other components stored on servers in other domains (like ad banners). Cookies that are sent through these third-party components are called third-party cookies and are mainly used for advertising and tracking across the web.
Cookies were invented to solve the problem "how to remember information about the user":
When a user visits a web page, his name can be stored in a cookie.
Next time the user visits the page, cookies belonging to the page is added to the request. This way the server gets the necessary data to "remember" information about users.
GitHubGist Example
As summary,
localStorage persists over different tabs or windows, and even if we close the browser, accordingly with the domain security policy and user choices about quota limit.
sessionStorage object does not persist if we close the tab (top-level browsing context) as it does not exists if we surf via another tab or window.
Web Storage (session, local) allows us to save a large amount of key/value pairs and lots of text, something impossible to do via cookie.
Cookies that are used for sensitive actions should have a short lifetime only.
Cookies mainly used for advertising and tracking across the web. See for example the types of cookies used by Google.
Cookies are sent with every request, so they can worsen performance (especially for mobile data connections). Modern APIs for client storage are the Web storage API (localStorage and sessionStorage) and IndexedDB.
Local storage: It keeps store the user information data without expiration date this data will not be deleted when user closed the browser windows it will be available for day, week, month and year.
In Local storage can store 5-10mb offline data.
//Set the value in a local storage object
localStorage.setItem('name', myName);
//Get the value from storage object
localStorage.getItem('name');
//Delete the value from local storage object
localStorage.removeItem(name);//Delete specifice obeject from local storege
localStorage.clear();//Delete all from local storege
Session Storage: It is same like local storage date except it will delete all windows when browser windows closed by a web user.
In Session storage can store upto 5 mb data
//set the value to a object in session storege
sessionStorage.myNameInSession = "Krishna";
Session: A session is a global variable stored on the server. Each session is assigned a unique id which is used to retrieve stored values.
Cookies: Cookies are data, stored in small text files as name-value pairs, on your computer. Once a cookie has been set, all page requests that follow return the cookie name and value.
LocalStorage:
Web storage can be viewed simplistically as an improvement on
cookies, providing much greater storage capacity. Available size is
5MB which considerably more space to work with than a typical 4KB
cookie.
The data is not sent back to the server for every HTTP request
(HTML, images, JavaScript, CSS, etc) - reducing the amount of
traffic between client and server.
The data stored in localStorage persists until explicitly deleted.
Changes made are saved and available for all current and future
visits to the site.
It works on same-origin policy. So, data stored will only be
available on the same origin.
Cookies:
We can set the expiration time for each cookie
The 4K limit is for the entire cookie, including name, value, expiry date etc. To support most browsers, keep the name under 4000 bytes, and the overall cookie size under 4093 bytes.
The data is sent back to the server for every HTTP request (HTML, images, JavaScript, CSS, etc) - increasing the amount of traffic between client and server.
sessionStorage:
It is similar to localStorage.
Changes are only available per window (or tab in browsers like Chrome and Firefox). Changes made are saved and available for the current page, as well as future visits to the site on the same window. Once the window is closed, the storage is deleted
The data is available only inside the window/tab in which it was set.
The data is not persistent i.e. it will be lost once the window/tab is closed. Like localStorage, it works on same-origin policy. So, data stored will only be available on the same origin.
localStorage
data stored with localStorage has no expiration date, and gets cleared only through JavaScript, or clearing the Browser cache / Locally Stored Data.
The storage limit is the maximum amongst the three.
The data stored in localStorage persists until explicitly deleted. Changes made are saved and available for all current and future visits to the site.
It works on the same-origin policy. So, data stored will only be available on the same origin.
sessionStorage
It stores data only for a session, meaning that the data is stored until the browser (or tab) is closed.
Data is never transferred to the server.
Changes are only available per window (or tab in browsers like Chrome and Firefox). Changes made are saved and available for the current page, as well as future visits to the site on the same window. Once the window is closed, the storage is deleted.
I would expect that sessionStorage would be faster as it doesn’t need to write to the disk (lacking persistency). But my simple console tests shows that they are equal in performance 😔
let item = 500000;
const start = Date.now();
while(item) {
sessionStorage.setItem('testKey', item);
item = parseInt(sessionStorage.getItem('testKey'));
item--;
}
console.log('SessionStorage PERF: (lower is better)', Date.now() - start);
same code for local storage
let item = 500000;
const start = Date.now();
while(item) {
localStorage.setItem('testKey', item);
item = parseInt(localStorage.getItem('testKey'));
item--;
}
console.log('LocalStorage PERF: (lower is better)', Date.now() - start);
results:
SessionStorage PERF: (lower is better) 2889
SessionStorage PERF: (lower is better) 2852
LocalStorage PERF: (lower is better) 2807
LocalStorage PERF: (lower is better) 2889

Clear html5 sessionStorage across http/https

I have two websites http://www.example.com and https://www.example.com. I am using HTML5 session storage to store user preferences.
A user arrives at http://www.example.com and I load some default settings via ajax.
They browse to a page requiring login and are sent to https://www.example.com/login.html
After they are done logging in they are sent back to http://www.example.com where because they are now logged in I should fetch new settings from the server. The trouble is that http and https are different origins and can't share session storage.
Things I've tried that don't work:
Loading a page http://www.example.com/clearSession.html in an iframe that just runs sessionStorage.removeItem('key') to clear my data, but it seems that this has it's own browsing context so it doesn't work.
Things I've tried that work but I'm not wanting to use:
Using a cookie. This works great because http and https can share cookies but this means all my user settings get sent to the server with every resource request. This is usually about 4k but could be up to 1MB of data. No I can't host my resources on a different domain.
Don't cache the settings and just make the request every time to get the settings. I am doing this on older browsers as they don't support session storage but it slows down the page load and puts extra load on my database.
I can tell you how we have solved this problem, but it doesn't involve local sessionStorage. We use a server-side session to store the user's login data (username, ID, etc.) after they have been to our authentication server and back. Before they are authenticated you could still collect preference data from them by using AJAX to report these preferences back to a web service on the server that can store it in the server's session scope. This would break the RESTful model, however, because it would assume the use of server side sessions. That would depend on your server language and how you have your web services set up.
I think you will always bump into that origin problem because that is a restriction designed into local storage in general.
Switch everything to https, its a standard now.