Reference: Token Based Authentication for Single Page Apps
I see a lot of discussions where cookies are pitted against access tokens. While we’ve all been burned by systems that store a session ID in a cookie, and that cookie is not secured and thus gets stolen. That sucks, but its not a reason to use tokens. Its a reason to avoid non-secure, non-https cookies.
Storing access tokens in HTTPS-only cookies is the best thing you can do. Never store access tokens in local storage, that storage area is very vulnerable to XSS attacks. Storing them in secure cookies achieves the following:
You don’t expose the token to the Javascript environment in the browser, which is vulnerable to XSS attacks
You don’t transmit the token over non-HTTPS connections, which are prone to man-in-the-middle attacks.
But, as always, there are tradeoffs – and there are two we care about:
The security tradeoff is that secure cookies are still vulnerable to CSRF Attacks and you need to implement a CSRF token strategy to combat this issue. This is quite trivial and our SDKs do this for you out of the box.
####2. Cookies vs Tokens. Getting auth right with Angular.JS ==> There're a lot of debates in the post