|
|
|
|
|
|
by shartte
1874 days ago
|
|
|
The sole reason really is that the contents of a HttpOnly cookie cannot be exfiltrated by an XSS-exploit, while a JWT stored in localStorage could be.
This would probably only make a difference if the JWT either has a long lifetime, or is usable outside of the site's origin. |
|
|