green-angle-21108
02/14/2022, 10:34 PM/whoami
endpoint with the requests cookies, right? But this doesn’t prevent CSRF attack (the way an in memory access token would), or am I missing something?
2. With the refresh token it was possible to have to user be authenticated without interaction for an indefinite time, if said user visited the site regularly. I found the ?refresh=true
, but here the user actually has to enter the password again. Is there another way to refresh the session without interaction or what would be best practice to achieve something similar??damp-sunset-69236
02/15/2022, 8:47 AM/sessions/whoami
endpoint to check if the incoming request is authenticated. You can have multidomain and have strict rules to prevent CSRF. Have you checked ‘Advanced Base URL, CSRF & Session Cookie settings’ guide?green-angle-21108
02/15/2022, 9:24 AMsame_site
attribute to Strict?