As far as I know, If you're rolling your own authentication, a session token in an HttpOnly cookie should suffice.
The main reason to separate the access and refresh token is in cases where you need access to the token on the client side, e.g. to make requests from an iFrame or in situations where you don't have access to the cookies.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
That's correct.
As far as I know, If you're rolling your own authentication, a session token in an HttpOnly cookie should suffice.
The main reason to separate the access and refresh token is in cases where you need access to the token on the client side, e.g. to make requests from an iFrame or in situations where you don't have access to the cookies.