6 Matching Annotations
  1. Oct 2021
    1. With httponly you only prevent to read the cookie with js, but its still possible to make requests in the name of the user.
    2. They are on client-side, but (usually) they are HTTPOnly. Now if they are part of session, any client-side script is able to access them, and I just don't like introducing vulnerabilities knowingly. As I said above, I found a workaround that works for me and you may have different opinion from me on how much this is a risk.
  2. Jun 2021
    1. In short: storing the token in HttpOnly cookies mitigates XSS being used to get the token, but opens you up to CSRF, while the reverse is true for storing the token in localStorage.
    2. I started off really wanting to use HttpOnly cookies
  3. May 2021