Cookies
Closed this issue · 1 comments
Another suggestion....I would consider not using any cookie helpers. Cookies should be locked and not accessible by JavaScript for security reasons. If someone manages to inject malicious code, the user's cookies could be stolen.
@ix-xerri Cookies have become fundamental to modern authentication flow, and this app demonstrates how to manage them safely & effectively.
Cookies are always accessible by javascript on the client... just check the console. They are sent with every XHR to the specified domain. I think you are confusing signed cookies (created by the server, unreadable garbage to the client) with unsigned cookies (created by client or server, readable by both). No sensitive auth information should ever be passed thru unsigned cookies.
--Alex