The Lounge is rated PG. If you're about to post something you wouldn't want your
kid sister to read then don't post it. No flame wars, no abusive conduct, no programming
questions and please don't post ads.
Can't change the name, too many other places that use it
No sleep during the day - work and the noisy things that live under my desk called dogs keep me awake
I stand by my title and statement.
A human being should be able to change a diaper, plan an invasion, butcher a hog, navigate a ship, design a building, write a sonnet, balance accounts, build a wall, set a bone, comfort the dying, take orders, give orders, cooperate, act alone, solve equations, analyze a new problem, pitch manure, program a computer, cook a tasty meal, fight efficiently, die gallantly. Specialization is for insects! - Lazarus Long
Some people recommend local storage[^] (or session storage[^]). Others proclaim it's a terrible idea, because it could be stolen by XSS or a compromised CDN script.
The only other option appears to be a cookie. But if you need to access that from your SPA script, it can't be marked as "HTTP only", so the same XSS / compromised CDN script could steal it just as easily. And if it's sent automatically on every request to the API, then you're open to XSRF.
The client can't trust the server. The server can't trust the client. Neither of them can trust the pipe between them. And those of us who are supposed to make it all work keep getting distracted by the latest shiny framework that's supposed to fix everything, so long as you don't look too closely at the security implications.
The solution is simple: we just need to - OH LOOK! A SQUIRREL!
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer