| ▲ | seandoe 4 days ago |
| I think they mean storing an identifier in local or session storage and then sending it in the header. |
|
| ▲ | bvrmn 4 days ago | parent | next [-] |
| Identifier in local storage could be stolen by 3rd party JavaScript. Anybody who wants to use local storage for sensitive information should read why there is a httpOnly cookie attribute. |
| |
| ▲ | IgorPartola 4 days ago | parent [-] | | If you are running third party JS on your site they can just make requests to your server now. Once JS is loaded it is running in the context of your domain. No they can’t do it once the user closes the browser but third party JS is XSS in action. And I am not suggesting using local storage for it. I am suggesting adding browser support for standard/generic login UI. Basically think basic auth, just not so basic. | | |
| ▲ | bvrmn 4 days ago | parent [-] | | > Basically think basic auth, just not so basic It's like technobros trying to invent an inferior train with each pod iteration. |
|
|
|
| ▲ | baggy_trough 4 days ago | parent | prev [-] |
| It doesn't work with basic multi page sites though. |
| |
