| ▲ | seandoe 10 months ago |
| I think they mean storing an identifier in local or session storage and then sending it in the header. |
|
| ▲ | bvrmn 10 months ago | parent | next [-] |
| Identifier in local storage could be stolen by 3rd party JavaScript. Anybody who wants to use local storage for sensitive information should read why there is a httpOnly cookie attribute. |
| |
| ▲ | IgorPartola 10 months ago | parent [-] | | If you are running third party JS on your site they can just make requests to your server now. Once JS is loaded it is running in the context of your domain. No they can’t do it once the user closes the browser but third party JS is XSS in action. And I am not suggesting using local storage for it. I am suggesting adding browser support for standard/generic login UI. Basically think basic auth, just not so basic. | | |
| ▲ | bvrmn 10 months ago | parent [-] | | > Basically think basic auth, just not so basic It's like technobros trying to invent an inferior train with each pod iteration. |
|
|
|
| ▲ | baggy_trough 10 months ago | parent | prev [-] |
| It doesn't work with basic multi page sites though. |
| |
