We’re currently using local storage for our tokens, because we need them to persist between browser sessions.
Some of our web pages however are rendered server-side (that is, HTML is produced upon first request, outside of the JS/browser context) and as such don’t have access to the client-side tokens (e.g. access tokens). If we want to personalise such pages, and be sure that the user is who we think it is, that leaves us with a problem (we cannot see the token)
Is there any reference material or a recommended design approach to this (for example, the use of httpOnly cookies?)