Database and cookies.
You should be saving any carts of logged in users to the database (for reference / recommendations later). And cookies are used as a backup for the current cart, or for guest carts.
You can use localstorage as long as security isn't an issue (which shouldn't be, since all requests should be server-validated anyway). I'd just lean on cookies cause they're more reliable (server can access them -- while browser can't).