245

SPAs were a mistake (lemmy.world)

submitted 9 months ago by treechicken@lemmy.world to c/programmerhumor@lemmy.ml

19 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[-] AVincentInSpace@pawb.social 1 points 9 months ago

...so allow...either?

What's so hard about checking two headers (Authorization: and Cookie:) for the authtoken?

[-] immortaly007@feddit.nl 1 points 9 months ago

It's a security thing. The HttpOnly cookie can't be stolen using XSS or something like that, while a bearer token must be stored somewhere where javascript can see it.

[-] lemmyvore@feddit.nl 1 points 9 months ago

That's assuming the client wants to make a web app. They may need to connect something else to that API.

It's perfectly normal to be able to cater to more authentication scenarios than "web app logging in directly to the target API and using its cookies".

If they want to make a web app they should use the cookie mechanism but ultimately each client app is responsible for how it secures its access.

[-] gornius@lemmy.world 1 points 9 months ago

Then again, cookie auth is vulnerable to CSRF. Pick your poison.

Although CSRF protection just adds a minor inconvenience, while there is never a guarantee your code is XSS vulnerability free.

this post was submitted on 12 Dec 2023

245 points (95.9% liked)

Programmer Humor

32050 readers

1556 users here now

Post funny things about programming here! (Or just rant about your favourite programming language.)

Rules:

Posts must be relevant to programming, programmers, or computer science.
No NSFW content.
Jokes must be in good taste. No hate speech, bigotry, etc.

founded 5 years ago

MODERATORS

cat_programmer@lemmy.ml

AgreeableLandscape@lemmy.ml