I believe that this article is a bit misleading. Given these facts:
In many applications developed throughout the world, the JWT claims are used on the client as well as the server, so using the most secure form of cookie is out of the question for most. Also, cookie support in mobile can be wanky so the cookie solution seems best suited for web only clients. Also, the small size cap on cookies and serialization and parsing issues will add client performance overhead.
document.cookie doesn't seem to offer any benefits over window.localStorage as far is it goes to XSS. The only benefit of the cookie is the SSL & HTTP only options, which should be enforced on the server to only serve over SSL and then use JWTs with the same benefit of always knowing they will we transferred over HTTPS.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
I believe that this article is a bit misleading. Given these facts:
In many applications developed throughout the world, the JWT claims are used on the client as well as the server, so using the most secure form of cookie is out of the question for most. Also, cookie support in mobile can be wanky so the cookie solution seems best suited for web only clients. Also, the small size cap on cookies and serialization and parsing issues will add client performance overhead.
document.cookie doesn't seem to offer any benefits over window.localStorage as far is it goes to XSS. The only benefit of the cookie is the SSL & HTTP only options, which should be enforced on the server to only serve over SSL and then use JWTs with the same benefit of always knowing they will we transferred over HTTPS.