I've finished designing a RESTful API, in which I authenticate each request with an API Token that's sent as a param.
Now I want to create a client interface, and I was wondering what's a properly secure way to manage a session with each browser client.
I've thought about a flow to keep the server side stateless:
But something doesn't seem right to me here... isn't this too vulnerable?
Let's assume I'm using SSL, but still,
can't the API token be stolen easily that way?
Is it even a proper way to work?
According to Stormpath:
[...]store your tokens in cookies for web applications, because of the additional security they provide, and the simplicity of protecting against CSRF with modern web frameworks. HTML5 Web Storage is vulnerable to XSS, has a larger attack surface area, and can impact all application users on a successful attack.