treechicken@lemmy.world to Programmer Humor@lemmy.ml · 1 year agoSPAs were a mistakelemmy.worldimagemessage-square9fedilinkarrow-up14arrow-down10
arrow-up14arrow-down1imageSPAs were a mistakelemmy.worldtreechicken@lemmy.world to Programmer Humor@lemmy.ml · 1 year agomessage-square9fedilink
minus-squareAVincentInSpace@pawb.sociallinkfedilinkEnglisharrow-up0·1 year ago…so allow…either? What’s so hard about checking two headers (Authorization: and Cookie:) for the authtoken?
minus-squareimmortaly007@feddit.nllinkfedilinkarrow-up0·1 year agoIt’s a security thing. The HttpOnly cookie can’t be stolen using XSS or something like that, while a bearer token must be stored somewhere where javascript can see it.
minus-squaregornius@lemmy.worldlinkfedilinkarrow-up1·1 year agoThen again, cookie auth is vulnerable to CSRF. Pick your poison. Although CSRF protection just adds a minor inconvenience, while there is never a guarantee your code is XSS vulnerability free.
minus-squarelemmyvore@feddit.nllinkfedilinkEnglisharrow-up1·1 year agoThat’s assuming the client wants to make a web app. They may need to connect something else to that API. It’s perfectly normal to be able to cater to more authentication scenarios than “web app logging in directly to the target API and using its cookies”. If they want to make a web app they should use the cookie mechanism but ultimately each client app is responsible for how it secures its access.
…so allow…either?
What’s so hard about checking two headers (
Authorization:
andCookie:
) for the authtoken?It’s a security thing. The HttpOnly cookie can’t be stolen using XSS or something like that, while a bearer token must be stored somewhere where javascript can see it.
Then again, cookie auth is vulnerable to CSRF. Pick your poison.
Although CSRF protection just adds a minor inconvenience, while there is never a guarantee your code is XSS vulnerability free.
That’s assuming the client wants to make a web app. They may need to connect something else to that API.
It’s perfectly normal to be able to cater to more authentication scenarios than “web app logging in directly to the target API and using its cookies”.
If they want to make a web app they should use the cookie mechanism but ultimately each client app is responsible for how it secures its access.