Of course, all communication must happen over https, but I specifically meant http-only cookie, it's a type of cookie that is stored in the browser's memory, but is not accessible via JavaScript. That's an extra measure of security to prohibit stealing of session cookie by a scripting attack. That's the only reason why not to use the local storage. Of course, the browser must support this specific cookie type to process it's accessability accordingly.
Pāvils On Monday, 28 November 2016 04:17:13 UTC+2, Sander Elias wrote: > > Hi Pāvils, > > I assume you mean a https-only cookie? That would do. I slightly prefer > localstorage, and avoid cookies altogether. I agree on the 'closed' gate > idea. > You can set up your express server to demand the token for everything, > with exception of the things you need to get for login. Best practices > depend mostly on the router (or lack of one). If you are using auth, > passportjs has your moslty covvered. > > Regards > Sander > -- You received this message because you are subscribed to the Google Groups "Angular" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/angular. For more options, visit https://groups.google.com/d/optout.
