Let's say that I have a web application that is 100% behind login Something like https://app.aceinvoice.com.
When it comes to choosing authentication mechanism we have a choice to make.
If we mark our cookies as
httponly then XSS attacks are not possible.
Instead of cookies if we use some kind of auth token then the question is where we do store the auth token which can withstand a refresh of the browser. If we store this auth token in session storage then upon closing the browser the auth token is gone and that means user is not logged in anymore.
If we store this auth token in local storage then that means we need to guard the application from XSS attack since by storing auth token the application is secure from CSRF attack.
Hopefully by going through all the security related chapters it is clear that there is no clear winner here.
Both the strategies of using cookies or using auth tokens have their own advantages and disadvantages. We need to know these pros and cons so that we are aware of where to concentrate on strengthening the security of the application.