|
|
|
|
|
|
by stillbourne
927 days ago
|
|
|
I agree, give everyone a session cookie with an encrypted session id, store JWTs in the http context for the session, make the cookie unreadable by js. If you need to read the properties from the token make an endpoint for that. For god's sake stop giving out the JWTs directly to the client. |
|
|