Ok if someone is to use JWT auth,SPA(React),and one server for recurce and auth. And if we were to use refresh tokens and auth tokens. What is the better option: 1.Store refresh tokens(RT) in http read only cookie(ROC),and auth token in state(Context..)? 2.Store refresh and auth tokens in http read only cookie? Another question: Dont refresh token loose on security if we set them in read only cookie beacuse they are then sent on every recource request,and point was that we use them once when we need antother auth token? I get that http read only is better then seting refresh in some other place but sending it every time is also bad..
Is there somewhere a case to case explanation for every combination when we use tokens auth:
1.servers(when we have one or 2(resurce and auth))
2.type of aplication(SPA)
3.type of storing tokens on front and when to use what depending on security concerns.
4.Usecase(e-commerce...)
I found a lot of diffrent oppions on this matter online and here..