Hacker News new | ask | show | jobs
by gravlaks 1870 days ago
One reason is if you store refreshTokens in localStorage, a hacker's XSS attack can send the refreshToken to himself, and keep refresing the token forever (or until somebody actively invalidates the session) - and thus use the token for whatever evil purpose.
1 comments
totony 1869 days ago
Can't you just read document.cookies to get the token at that point?
link
nerdkid93 1869 days ago
I believe refresh tokens are supposed to be HTTP Only
link