[dead]
That's really surprising, thank you for following up long after this post has been flagged. That snippet certainly shows the refresh token is accessible client-side. I remain shocked that an auth company CEO would push…
Of course, I am not concerned that a 5 minute JWT is not HttpOnly. I did not intend to imply that. However, I am concerned that the refresh mechanism is also not HttpOnly. Firebase storing access tokens in client-side…
I signed in to stytch.com and see a cookie called "stytch_session_jwt" that is not set with HttpOnly. It appears to refresh against https://stytch.com/web/sdk/sessions/authenticate with a Basic auth token which is also…
[dead]
That's really surprising, thank you for following up long after this post has been flagged. That snippet certainly shows the refresh token is accessible client-side. I remain shocked that an auth company CEO would push…
Of course, I am not concerned that a 5 minute JWT is not HttpOnly. I did not intend to imply that. However, I am concerned that the refresh mechanism is also not HttpOnly. Firebase storing access tokens in client-side…
I signed in to stytch.com and see a cookie called "stytch_session_jwt" that is not set with HttpOnly. It appears to refresh against https://stytch.com/web/sdk/sessions/authenticate with a Basic auth token which is also…