"httpOnly:true This option is very crucial here. It tells the browser don't allow any JS touch it. Which means its totally secure. This is protected from the Cross Origin Attack"
The HttpOnly only stops js from reading the cookie not from sending it typically to a hostile endpoint that can access the session, for this attack to succeed you need "sameSite: "none" " which is basically bad
you should use sameSite -> lax | strict to be safe
"httpOnly:true This option is very crucial here. It tells the browser don't allow any JS touch it. Which means its totally secure. This is protected from the Cross Origin Attack"
The HttpOnly only stops js from reading the cookie not from sending it typically to a hostile endpoint that can access the session, for this attack to succeed you need "sameSite: "none" " which is basically bad
you should use sameSite -> lax | strict to be safe
nothing is totaly secure, code defensivly
Thanks a lot for stopping by and enlightening us. Will definitely take care and update it
hi atul
your article is good, only issue is you are vulnerable to csrf attacks if u keep
sameSite: "none"
security is hard and we are all learning all the time