loading...

re: Please Stop Using Local Storage VIEW POST

TOP OF THREAD FULL DISCUSSION
re: Can you clarify what you mean by a "stateless" API? If I'm reading you right, the concept seems kind of nonsensical to me. I'm going to respond to ...

cookies are inherently stateful because they require session data to be present on the server

Not exactly true. Many cookies use signatures or encryption to make the data trustworthy for the server, so there does not need to be the somewhat traditional "sessions" list in a database.

Cool, I didn't know that! How does credential revocation work in that context? Or do you just maintain a really short validity window?

Well, it doesn't necessarily work. One way is to keep short validity, another is to tie it to e.g. the last update of the relevant user's password, or similar - you wouldn't have to check the contents of the package, just that it's been signed after the password has last changed.

There are lots of little options you could use, but it's not always necessary.

I think lietu has just described JWT in a cookie ...

code of conduct - report abuse