Yup, you're right, I did not specifically mention that it was "localstorage as a mean to store auth tokens". I thought it was kind of implicit π.
I agree, things are most often actually implementd insecurely. That statement also applies to cookie usage, and lets be honest, to the pretty much everything when you're dealing with security...
It might have been the implicit intention, but I do think there is a big difference between discussing JWTs stored in localstorage or localstorage as a technology.
Regardless, Sven Slootweg made two compelling posts in 2016 pointing out why using JWTs (stored in localstorage) instead of using a session cookie is a bad idea, and I think he does it without being distasteful about it.
I think that, as developer, we should be aware of these points so that when we do choose to use a JWT stored in localstorage as a session token, instead of using a cookie for session authentication, we can actively guard that we use a good implementation. So instead of saying "everything is insecure", we say "we're informed, and decided that it's Good Enoughβ’".
People who blatantly say "don't use JWTs" or "don't use localStorage" without elaboration or without understanding the nuance of each decision are honestly not worth your (or my) time. It's indeed pointless.
I don't agree that it's the same as tabs vs spaces, but it definitely has the same level of tribalism (and with that it becomes pointless shouting instead of constructive debate).
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Yup, you're right, I did not specifically mention that it was "localstorage as a mean to store auth tokens". I thought it was kind of implicit π.
I agree, things are most often actually implementd insecurely. That statement also applies to cookie usage, and lets be honest, to the pretty much everything when you're dealing with security...
It might have been the implicit intention, but I do think there is a big difference between discussing JWTs stored in localstorage or localstorage as a technology.
Regardless, Sven Slootweg made two compelling posts in 2016 pointing out why using JWTs (stored in localstorage) instead of using a session cookie is a bad idea, and I think he does it without being distasteful about it.
I think that, as developer, we should be aware of these points so that when we do choose to use a JWT stored in localstorage as a session token, instead of using a cookie for session authentication, we can actively guard that we use a good implementation. So instead of saying "everything is insecure", we say "we're informed, and decided that it's Good Enoughβ’".
People who blatantly say "don't use JWTs" or "don't use localStorage" without elaboration or without understanding the nuance of each decision are honestly not worth your (or my) time. It's indeed pointless.
I don't agree that it's the same as tabs vs spaces, but it definitely has the same level of tribalism (and with that it becomes pointless shouting instead of constructive debate).