DEV Community


Discussion on: JSON web tokens are NOT meant for authenticating the same user repeatedly: Use session tokens instead

andreidascalu profile image
Andrei Dascalu

Actually it's about the same. Nobody needs to "get" your token. Cookies are being sent on client side requests. Xss doesn't need to read your token, it needs to make requests on your behalf and can do so if your token is stored in cookie.

Forem Open with the Forem app