18Eyl
What are the security implications of receiving a secret (e.g. OAuth BEARER) token via cookie vs. Authorization header?
I have seen applications use both the Authentication HTTP header, as well as a cookie, or sometimes even both, to store & transmit BEARER tokens (JWT) when they send requests. For example, I am currently looking at an application where the API docs state how to make a API request to get the token, then instruct the user to store the returned BEARER token into a cookie called app.token using Set-Cookie in curl requests.
So my question is, what are the security implications behind handling the tokens in these two different ways, and is there any security purpose to do both simultaneously?
