|
|
|
|
|
|
by bob1029
936 days ago
|
|
|
I had a problem with cookies on iOS/safari, so we reached for the last hope: url query args. Works flawlessly now. If you use an external identity provider, you can hypothetically avoid storing any cookies at all in first party terms. All you'd have would be 3rd party AAD tokens or whatever. The only reason we even need first party client state is because we want to allow each user simultaneous app sessions that have lifetime decoupled from IdP semantics. This is what we store in the URL query (a guid). Sessions are still bound to user principals, so you would get yelled at if you tried to screenjack someone else's. |
|
|