Regarding #2, you're assuming that it's a browser on the client side (so that you can use a cookie). In the case of a mobile app, what would be a secure alternative not to have the token on the response body? Use a HTTP response header?
This question on StackOverflow addresses this issue on Android. It seemed to me that the AccountManager resource would be the equivalent to safe cookies on this case? My lack of expertise on the area can't give me enough assurance.
Hi! Nice article!
Regarding #2, you're assuming that it's a browser on the client side (so that you can use a cookie). In the case of a mobile app, what would be a secure alternative not to have the token on the response body? Use a HTTP response header?
Regards!
Hey Alexandre, thanks for stopping by!
That's correct, the advice assumes the client is a web browser.
I don't have experience with native mobile apps at all. But I found potentially useful references:
Again. Not my area of expertise. These are just what seemed to be relevant to me from a quick web search. Use with caution! 😉
(saudações de Minas, Brasil! 😄)