Y
Hacker News
new
|
ask
|
show
|
jobs
by
jefftk
2400 days ago
Correct. Authentication should always be via cookies with "HttpOnly" set, since (a) the cookie is not needed client side and (b) it somewhat limits the damage XSS can do.