Why not have individual login tokens per account and client side it picks which to use based on which account is selected?
Is this different to what I am doing?
I am setting individual login session tokens (JWTs) per account (multi_auth.<userId>).
The client uses a "cointer pookie" (I made that term up) to switch between accounts since we don't want to give JS access to the actual session tokens.
My assumption is that using pointer cookies should prevent XSS vulns since in case of a XSS vuln, an attacker could only see which accounts you're linked to. But don't access the actual session tokens.
lol, cointer pookie. I meant pointer cookie