Hi @konrad.sopala - we’re bumping into the same issue. Any update on how we can set an httponly cookie? If we call the Lock widget, it handles the authentication and invokes our .js callback. However, the .js callback can’t set the cookie due to the httponly flag. The documentation indicates it requires using a “Form Post Response Model”, but it doesn’t really delve into how the cookie would be secured:
https://auth0.com/docs/login/spa/authenticate-with-cookies
Placing the token in LocalStorage, SessionStorage, or a general auth header isn’t an option as it exposes the token to malicious client-side javascript. Placing the token in the query string similarly exposes it to an admin with access to view web logs. Cookies with secure and httponly flags direct the browser to enforce security measures to only send over HTTPS and prevent access by malicious scripts. Any guidance would be helpful.