Not sure that's the real alternative. Sessions need to be stored somewhere server side (while tokens don't) but token are also stored in cookies (just not sent via cookies)
Client side it's the same type of problem. You need to store the session Id or the token somewhere on the client before it's sent back to server, preferably in a way that's protected against xss and csrf.
Yeah, I think that's the reason as to why cookie-based authentication is not that much used nowadays. Most applications use token based authentication
Not sure that's the real alternative. Sessions need to be stored somewhere server side (while tokens don't) but token are also stored in cookies (just not sent via cookies)
Client side it's the same type of problem. You need to store the session Id or the token somewhere on the client before it's sent back to server, preferably in a way that's protected against xss and csrf.
yeah sure.