[blincoln]

The HttpOnly flag isn't really practical in modern web apps where so much logic runs in JS in the browser and makes requests to APIs. It's a leftover from an earlier era of web app architecture.

If it can be enabled without breaking something, sure, its a good idea, but unless your app is 2000s-era ASP.NET code or CGI script, preventing browser-side JS from accessing the session token will probably break something.

[Macha]

Right, but if you're doing a SPA, your SPA makes the login call and stores a copy of the session token in local storage, which unlike a cookie isn't automatically sent on any request, never mind cross-origin ones. Doesn't prevent against XSS of course, but then that's what CSP is for.

[bastawhiz]

It's only necessary to store the login token if your backend is on a different origin than your SPA is served from. It's not especially hard to avoid this.

[smagin]

You shouldn't need your session token in JS, you can specify your fetch requests to include cookies, and you can setup CORS to allow that.