Ah, yeah, seems to be pretty standard in Java stuff, which I avoided because of some experiences with Tomcat. ASP.NET uses a separate auth cookie from the session cookie. Even way back when I was doing PHP, it never occurred to me to lump the auth in with the session.
Sessions have made it on my list of top hated things, I wouldn't use them for anything. But, comparing auth cookie without session vs auth token, tokens look like the better option.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Ah, yeah, seems to be pretty standard in Java stuff, which I avoided because of some experiences with Tomcat. ASP.NET uses a separate auth cookie from the session cookie. Even way back when I was doing PHP, it never occurred to me to lump the auth in with the session.
Sessions have made it on my list of top hated things, I wouldn't use them for anything. But, comparing auth cookie without session vs auth token, tokens look like the better option.