As an old guy reading this I had a lot of wtf moments during the setup. Then I laughed pretty hard when we eventually got to this line. Like there's a reason we invented cookies and all mature web frameworks use them for auth.
Cookie stealers, issues with third-party cookies and tracking... it's not like the past was a paradise, in fact, quite the opposite. Hell I 'member times when we had to append ?PHPSESSID=... to URLs. Cookies were a stopgap...
Much more importantly however, is that the cookie standards are a mess! The complexity of cookie default behaviour, their flags, scopes, differences in their SOP (cookies ignore ports for example, so https://example.com:443 and https://example.com:8443 share their cookies) are huge. Research papers have been written in this. And don't even get started on differentials between browsing engines.
This huge complexity of cookies opens up a whole class of authentication attacks where bad (or just weirdly) configured cookies can be stolen cross origin.
localStorage on the other hand is practically impossible to get wrong.
This is what aspnet core does by default if you enable cookie-based authentication. Gives you the best of both worlds.
Is there someone in another part of the world that would like hacking you only if you’re not using httpOnly cookies, happy to know that you used localstorage?
I really want this era of AI generated writing that reads so poorly to end. Or at least society should be ashamed of publishing this content.