On Wednesday, October 12, 2016 at 2:13:16 PM UTC+1, Fa Qing wrote:
> Let's say that every response includes a dynamic "token" header value, and 
> every request needs to return that token in the headers.

Don't forget that you can use a cookie or secure cookie for this purpose. 
Its hard to see that using a bearer token in an Authorization header is 
better than a secure cookie, because - the browser enforces some extra 
constraints around secure cookie to make them more secure and the cookies 
are shared accross a domain meaning if the user pops up a second tap by 
ctrl-clicking a link in your application, authentication can flow accross. 
However, it seems not to be the done thing for REST APIs.

You received this message because you are subscribed to the Google Groups "Elm 
Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to elm-discuss+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to