1

I think I understand the difference between tokens and session ids.

But it seems to me that it has a major security issue so I've probably misunderstood something :

If someone steals my token or my session id then he can pretend to be me, right? Some XSS attack, or some F12 on my friend's computer is enough to see the info, right?

Gabriel
  • 163
  • 1
  • 1
  • 15

1 Answers1

1

Yes. That's why you wouldn't leave your device unattended to take care of the F12 part.

XSS cannot steal httpOnly cookie.

I've covered mist of these in the following two answers.

https://stackoverflow.com/a/54258744/1235935

https://stackoverflow.com/a/59464645/1235935

Saptarshi Basu
  • 8,640
  • 4
  • 39
  • 58