@LuisHill9 @TkDodo Yes, but this is highlighting the way of sharing this token to the client. The client needs to know the token so it can use the token when it makes requests to the server so the server can authenticate them. If you store this with LocalStorage API though, you can use JS to get

1 min read Original article ↗

Yes, but this is highlighting the way of sharing this token to the client. The client needs to know the token so it can use the token when it makes requests to the server so the server can authenticate them. If you store this with LocalStorage API though, you can use JS to get access to that token. The attacker here hid malicious JS in that bookmark link to get the user's token out of LocalStorage and send it to the attacker when clicked. And once the attacker has the token, they can take over the account completely. Using cookies w/ HttpOnly makes it so that when the server sends the token to the client, the browser manages the token and resends it with every request to the server, but any JS or app code won't have access to that token - preventing this kind of attack (developer.mozilla.org/en-US/docs/Web…)