On Wednesday, October 12, 2016 at 2:13:16 PM UTC+1, Fa Qing wrote: > > Let's say that every response includes a dynamic "token" header value, and > every request needs to return that token in the headers. >
Don't forget that you can use a cookie or secure cookie for this purpose. Its hard to see that using a bearer token in an Authorization header is better than a secure cookie, because - the browser enforces some extra constraints around secure cookie to make them more secure and the cookies are shared accross a domain meaning if the user pops up a second tap by ctrl-clicking a link in your application, authentication can flow accross. However, it seems not to be the done thing for REST APIs. -- You received this message because you are subscribed to the Google Groups "Elm Discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
