I know enough about them (mainly a BE dev though) but I’m also a bit confused. A session token would be how you keep someone logged in, what’s wrong with that?
What immediate stands out to me: the secure attribute is not set (only transmit via TLS, never unencrypted). Also - especially if used for a session cookie - the HttpOnly attribute should probably also be set (=value not accessible from JS, only sent in request headers).
Oh right, that makes sense; it’s been quite a while since I’ve done web development. That seems rather subtle though, right? Not sure if the comic OP is just flat anti-cookie without nuance but it gives that vibes
I know enough about them (mainly a BE dev though) but I’m also a bit confused. A session token would be how you keep someone logged in, what’s wrong with that?
What immediate stands out to me: the
secureattribute is not set (only transmit via TLS, never unencrypted). Also - especially if used for a session cookie - theHttpOnlyattribute should probably also be set (=value not accessible from JS, only sent in request headers).Oh right, that makes sense; it’s been quite a while since I’ve done web development. That seems rather subtle though, right? Not sure if the comic OP is just flat anti-cookie without nuance but it gives that vibes
I guess it’s flat anti cookie.
A session token… set by JavaScript, with no
secureattribute, and no domain. (and no expiry, but I think that just uses browser lifetime)