Cookie stored access tokens combined with a CSRF token is the safest form of session management combined with JWT because you are completely resilient from XSS attacks. Request forgery attacks are mitigated by CSRF token. See CookieAuthenticationsController & RefreshCookiesController.
An access token can be willfully passed down to your client application, but it is not recommended to use this technique for web pages or SPAs. See TokenAuthenticationsController & RefreshTokensController.
All of these new controllers are well tested. All classes have detailed class comments.
Cookie stored access tokens combined with a CSRF token is the safest form of session management combined with JWT because you are completely resilient from XSS attacks. Request forgery attacks are mitigated by CSRF token. See
CookieAuthenticationsController
&RefreshCookiesController
.An access token can be willfully passed down to your client application, but it is not recommended to use this technique for web pages or SPAs. See
TokenAuthenticationsController
&RefreshTokensController
.All of these new controllers are well tested. All classes have detailed class comments.
See issue #8