pull down to refresh
449 sats \ 2 replies \ @benthecarman 19 Nov 2023 \ on: Account Switching by ekzyis · Pull Request #644 · stackernews/stacker.news meta
Why not have individual login tokens per account and client side it picks which to use based on which account is selected?
Is this different to what I am doing?
I am setting individual login session tokens (JWTs) per account (
multi_auth.<userId>
).The client uses a "cointer pookie" (I made that term up) to switch between accounts since we don't want to give JS access to the actual session tokens.
My assumption is that using pointer cookies should prevent XSS vulns since in case of a XSS vuln, an attacker could only see which accounts you're linked to. But don't access the actual session tokens.
reply
lol, cointer pookie. I meant pointer cookie
reply