"...unless you are operating at the size of Reddit, you will not need 'stateless sessions'." So for the rest of 99% of the technology world, you don't need stateless session because TFA says so.
There are some "hard" trade-offs in using stateless sessions and the article argues that you are better off storing sessions on the server, as long as it doesn't start costing you more than dealing with such trade-offs.
> The only correct CSRF mitigation is a CSRF token
Custom headers are better, imho, if you have an ajax-driven app. There is 0 chance of csrf ever happening if you require the session token be passed in a custom header and hold the session value in localstorage.
3 comments
[ 3.0 ms ] story [ 18.2 ms ] threadHere's an actual quote from the article:
"...unless you are operating at the size of Reddit, you will not need 'stateless sessions'." So for the rest of 99% of the technology world, you don't need stateless session because TFA says so.
There are some "hard" trade-offs in using stateless sessions and the article argues that you are better off storing sessions on the server, as long as it doesn't start costing you more than dealing with such trade-offs.
> The only correct CSRF mitigation is a CSRF token
Custom headers are better, imho, if you have an ajax-driven app. There is 0 chance of csrf ever happening if you require the session token be passed in a custom header and hold the session value in localstorage.
Source: I am an infosec professional.