Randall Degges
Hey Yngvar,
I’m the author of that dev.to post, and also work here at Okta. While storing stuff in localstorage is definitely bad, in some cases you cannot avoid it. For instance, let’s say you’re building a single page app with no server-side backend (like in this case). If you don’t have any sort of server-side backend at all, there’s no way you can generate a secure session cookie that can’t be accessed by JavaScript.
So while it is certainly true that this is less secure than a server-side counterpart, this is essentially the best type of security you can get for frontend-only apps!