What's the best way to do authentication in modern applications

Turns out the old-school login trick may still be the least messy option

TLDR: The article argues that for most apps, old-school browser cookies are still the safest way to keep people logged in. Commenters turned that into a brawl, with veterans cheering the boring answer, critics mocking the writing as AI-made, and others insisting browser storage is unfairly blamed.

A seemingly simple question — where should apps keep your login proof so bad actors can’t grab it — turned into a full-on internet food fight. In the article, Neciu Dan walks readers through the big choices: keeping it in the browser’s storage, keeping it only temporarily, or using old-fashioned browser cookies. His big message is that the web is a hostile place, and the safest answer for most normal apps is often the least glamorous one: let the browser handle it in a more traditional way.

But the comments? Absolutely feral. One camp basically yelled, “Congrats, we reinvented 2005,” with veterans gleefully pointing out that there’s a reason mature websites settled on cookies ages ago. Another crowd was less interested in the security debate and more interested in dragging the article itself, with multiple commenters accusing it of sounding like AI slop. One brutal jab summed up the mood: don’t use modern token hype for everyday logins, and maybe don’t outsource your writing to a chatbot either.

There was also a stubborn rebel faction defending browser storage, arguing that if a bad actor can already run code in your page, you’ve got bigger problems than where the login proof lives. That clash — boring and safe vs flexible and practical — became the real show. The funniest running joke? After all the fancy modern talk, the crowd’s verdict was basically: the “boring” old stuff still works, and everyone is mad about it.

Key Points

  • The article examines where authentication tokens should be stored in modern web applications and compares the security tradeoffs of different approaches.
  • It uses a common localStorage-based login flow as the starting point for discussing authentication design.
  • The article analyzes authentication through the lens of web security risks, especially XSS and CSRF.
  • It covers alternatives to localStorage, including in-memory token handling and httpOnly cookies.
  • The article also compares sessions and JWTs, discusses where JWTs fit, and includes OAuth and React implementation considerations.

Hottest takes

"the boring 2005 design wins" — padjo
"It’s likely close to 100% ai made" — haburka
"Don't use JWTs for session auth" — stavros
Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.