With the `SameSite=strict` option on modern browsers and the `HttpOnly` (plus `Secure` to only run in SSL secured context), Cookies are more secure and the way to go instead of storing credentials anywhere accessible from within JavaScript. Before SameSite=strict, cookies were a security nightmare and often resultet in XSRF attacks, and required XSRF mitigations (like xsrf tokens), but this is no longer the case as all modern browsers support it.
With the `SameSite=strict` option on modern browsers and the `HttpOnly` (plus `Secure` to only run in SSL secured context), Cookies are more secure and the way to go instead of storing credentials anywhere accessible from within JavaScript. Before SameSite=strict, cookies were a security nightmare and often resultet in XSRF attacks, and required XSRF mitigations (like xsrf tokens), but this is no longer the case as all modern browsers support it.