authentication – Are compromises to put an authentication token in an http cookie only for a SPA worth it?

I'm building a web application (API + SPA Rails) to learn / have fun and I'm researching authentication. The most commonly recommended approach for authenticating SPAs that I have read is to place the authentication token (such as a JWT) in a secure HTTP cookie only for protect it from XSS. This seems to have some consequences:

But what is the real disadvantage of just storing the authentication token in the browser's storage memory (ie, session storage)? XSS becomes slightly more convenient for the attacker? Even with an HTTP-only cookie, the attacker can still use the authentication token by addressing requests directly from the site, because if there is an XSS vulnerability, it is not necessary to be able to read the token to use it.

It seems that the popular recommendation only complicates things to protect against the CSRF simply to make things a bit more difficult for the attacker in the case of XSS. Due to the amount of resources making these recommendations, I feel that I am missing something and I would appreciate any comments or clarification!

Here are some sources I've read that have been quite categorical against browser storage for authentication tokens:

[FREE] 78 WordPress Premium Themes worth $ 2886 | NewProxyLists

[FREE] 78 Premium WordPress Themes worth $ 2886


So here you have 78 WordPress Premium themes worth $ 2886.

There is at least one for every niche you can think of!



Hidden content:

You must answer before you can see the hidden data contained here.

VBulletin 5 Offer – Worth it?


We currently use vBulletin 4 and they currently have a 50% offer. Do you think the upgrade will be worth it? … | Read the rest of

Is it worth investing in stocks?

Good!! Did you know? Today, many people are investing in the stock market because they earn quite a good income income.

More importantly, I wanted to know how to invest online in the stock market. is it worse?

What is your point of view on the stock market?


Google2Google Backlinks is it worth developing?

Is it worth developing backlinks on multiple platforms owned by Google? Would this help / hinder the optimization of your out-of-page search engine? Backs that you can think of? From the point of view of link development, most webmasters are starting to develop their internet marketing. However, the exposure of your content on the Web is not always the development of your website's links in terms of creating / securing / optimizing this reference link Search engine optimization that points backwards …

Google2Google Backlinks is it worth developing?

WordPress Specialist Hosts – Worth it or a hype?

I have a number of WordPress sites. I was interested in the market and people like Siteground, etc., position themselves as W specialists … | Read the rest of

How much is Warpstone worth?

The mere possession of iron stone is of course punishable by death in the Empire. But how much money should players receive if they managed to sell a few kilos on the black market?

Is it worth upgrading from 6D Mark 2 to EOS RP?

If you want to get closer to the world of mirrorless cameras, is it worth it to switch to RP technology? From the specifications, they are almost the same camera.

Is Eurail worth traveling between Lyon and London?

My son who studies in Lyon, France, wants to enjoy his weekends by visiting other European cities this weekend. In addition, he intends to visit his sister who is studying in London. To this end, he intends to obtain a Eurail pass. The SNCF website does not make any difference in price, whether or not you have a Eurail Pass. Is the UK not considered part of the Eurail network? I'm confused.

Is it worth it to be more in the industry?

Is it worth it to be more in the accommodation sector?

Is there money to be won?

Did this increase in Cpanel Price start killing hosts to $ 1 of the game or do they all go to liveadmin to stay in the game?

After working in the industry for many years, I started to wonder if it was even worth having a website or even being in business. Last year, I closed the doors due to personal circumstances and I could not even see Canada's rising prices come around the corner.

Should I stay outside or come back because I'm pausing?

Is it too much to try to cover all aspects of the business, domains, hosting, SSL, etc.?