I'm currently developing a e-commerce site which is going to have around 500 items. I need the site to be supported by IE8+, Firefox, chrome.

The users of the site should be able to add the items to the cart even without login. once they login they should see the items in their cart which were added by them before login in the same browser. There is NO necessity that the cart items added in a browser has to be mapped to a user account or accessible across the devices where the user login.

Given these requirements, what is the best way to store the cart items, localstorage or serverside HTTP cookies ? Also need some inputs on the security issues(like xss..) which might arise on using localstorage, if there are any

Usually, the actual cart contents aren't stored locally, but rather the server coins a temporary userID, cookies that userID and then stores the cart contents for that userID in the server-side database. This allows you to use the exact same server-side code as you would use for a logged in user (where cart contents are stored server side based on the logged in userID) so that the cart can be accessed from any browser. The only difference is that the non-logged in user is given a temporary userID, not a permanent one.

If the user then logs in or creates an account after putting things in the cart, the cart contents can be assigned to the now permanent userID quite easily on the server.

Since cookies are interoperable everywhere, this answers the issue for IE8. Since cookies are of limited size, storing the cart contents in the server-side database and only using the cookie for the temporary userID handles that issue too.