lil5 :golang: 🌱 on Nostr: cookies are inherently vulnerable to crcf attacks even if you make the cookie ...

cookies are inherently vulnerable to crcf attacks even if you make the cookie lifetime 30s, it gives a window where technically, a forged request elsewhere could be triggered by the user.

The options at that point is to:
1. Shorten the crcf cookie lifetime (accept the vulnerability window)
2. Have the crcf call return the token in the resp body the return it in the secure request as a header using JS