On Wednesday, October 12, 2016 at 2:13:16 PM UTC+1, Fa Qing wrote:
> Let's say that every response includes a dynamic "token" header value, and
> every request needs to return that token in the headers.
Don't forget that you can use a cookie or secure cookie for this purpose.
Its hard to see that using a bearer token in an Authorization header is
better than a secure cookie, because - the browser enforces some extra
constraints around secure cookie to make them more secure and the cookies
are shared accross a domain meaning if the user pops up a second tap by
ctrl-clicking a link in your application, authentication can flow accross.
However, it seems not to be the done thing for REST APIs.
You received this message because you are subscribed to the Google Groups "Elm
To unsubscribe from this group and stop receiving emails from it, send an email
For more options, visit https://groups.google.com/d/optout.