Bachelor's and Master's in CS from MIT. Previously, worked @ Microsoft & Zynga. Currently Co-Founder of Moesif (moesif.com), the most advanced API analytics platform.
Somewhat. Basically, the point is that both approach (cookies and localstorage) have risks and both have mitigation methods to address those risks. Both approaches are used in production widely. So both are ok to use if their risks are properly mitigated.
For second part of your question, If you are using cookies, you are vulnerable to CSRF attack. There are a few method of mitigating it.
one method is anti-forgery tokens, which we covered briefly in the article.
Another method of mitigation (that we didn't cover in this articles) is using the SameSite cookie setting, which needs to have browser support (caniuse.com/#feat=same-site-cookie...). If you believe all your customers will have modern browsers, then it might be ok. But it is hard to say if it is good enough for everything.
Like any mitigation method and security in general, it is about reducing the risk, nothing is a silver bullet. All have to be applied correctly and thought out carefully. As software architects, we often need to balance work/resource required/user experience vs. how sensitive/high risk the data. For example, what is good enough for a social app may not be good enough for a CIA app.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Thanks for sharing! Do I get it right that you say
Do you think the SameSite cookie setting is a powerful enough anti-CSRF method, assuming a modern browser?
Somewhat. Basically, the point is that both approach (cookies and localstorage) have risks and both have mitigation methods to address those risks. Both approaches are used in production widely. So both are ok to use if their risks are properly mitigated.
Like any mitigation method and security in general, it is about reducing the risk, nothing is a silver bullet. All have to be applied correctly and thought out carefully. As software architects, we often need to balance work/resource required/user experience vs. how sensitive/high risk the data. For example, what is good enough for a social app may not be good enough for a CIA app.