Message from JavaScript discussions
January 2018
— The browser will auto-send the cookie though, which means every other website on the internet can send it too
To secure it, you need another token but not as a cookie, rather just in localstorage, which only scripts from your origin can see
— When i coded php, i used several cookies with different expiration time, so if any cookie from browser was broken, session terminated
— A simple img tag can attack your app from any website if you only use cookies
— Your browser will happily send the cookie along with any request from any site, to your app's server
— Maybe yes, but it doesnt send expiration time
— Not sure what you mean, if it's in cookies it gets sent
— Whereas localstorage isn't sent automatically and has to be used by your scripts
— So if I receive a csrf I take the token and blacklist it
— Yeah, you can detect CSRF attempts sometimes. If your server gets the jwt for example, but not any other tokens like CSRF tokens, then the server can know that something is wrong and blacklist that jwt
— img tag should be injected somehow first, right? to steal cookie
— No