[coder543]

> If you’re using tokens for auth and don’t want to use session cookies

That sounds like a self-inflicted problem. Even if you’re using tokens, why not store them in a session cookie marked with SameSite=strict, httpOnly, and secure? Seems like it would make everything simpler, unless you’re trying to build some kind of cross-site widget, I guess.

[szastamasta]

I need to work with more than 1 backend :)

[coder543]

This is such an opaque response, I don't know what else could be said. If you're sending the same token to multiple websites, something feels very wrong with that situation. If it's all the same website, you can have multiple backends "mounted" on different paths, and that won't cause any problems with a SameSite cookie.

[szastamasta]

Then you need a single point of failure that is handling session validation. Without it part of your app might work even without your sessions storage.

[coder543]

You can store a JWT in a session cookie. You don’t need a SPoF for session validation, if that’s not what you want.