On Wednesday, October 12, 2016 at 2:13:16 PM UTC+1, Fa Qing wrote: > > Let's say that every response includes a dynamic "token" header value, and > every request needs to return that token in the headers. >
Don't forget that you can use a cookie or secure cookie for this purpose. Its hard to see that using a bearer token in an Authorization header is better than a secure cookie, because - the browser enforces some extra constraints around secure cookie to make them more secure and the cookies are shared accross a domain meaning if the user pops up a second tap by ctrl-clicking a link in your application, authentication can flow accross. However, it seems not to be the done thing for REST APIs. -- You received this message because you are subscribed to the Google Groups "Elm Discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to elm-discuss+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.