Web Authentication
Cookies, LocalStorage, Sessions, and Tokens
JSON web tokens (or JWTs) are serialized data that are signed by a secret held on the server. They are stateless; unlike sessions, they do not require the server to store authenticated users. JWTs are difficult to revoke once they’ve been granted, while sessions can easily be removed.
Cookies are typically sent by the browser on each request, while storing tokens in LocalStorage must be retrieved and explicitly included as a header or query parameter.
Tokens are susceptible to cross-site scripting (XSS) attacks. If a malicious agent is allowed to execute scripts on your domain, they can use or even steal the token from a user’s LocalStorage. Cookies are more susceptible to CSRF vulnerabilities.
Refresh Tokens
Refresh tokens can be used in conjunction with typical sessions or JWTs. They can address a number of issues by preventing stale access tokens. Access can still be stateless, yet allow the site administrator to revoke a session within a limited timeframe.
Safari Restrictions
Local development may need to be behind an SSL-encrypted reverse proxy (like Caddy or Nginx) due to localhost restriction and requiring secure HTTP-only cookies.