ARTICLE AD BOX
I’m currently using cookies for authentication in a .NET 9 backend with an Angular 20 frontend. Right now, I store both the accessToken and refreshToken directly in cookies.
I’m trying to improve the security of this approach. One idea I’m considering is:
storing a single cookie (e.g., __session) that contains a combined or encrypted value of both tokens
using another cookie (e.g., cookiesession1) to hold a session identifier
However, I’m not sure if this is a good practice or if it introduces unnecessary complexity. Also, my current backend/frontend implementation is not fully prepared to handle this properly yet.
So my questions are:
Is combining access and refresh tokens into a single cookie a good idea?
Is using a session-based approach (with a session ID in cookies) better than storing tokens directly?
What is the recommended secure pattern for handling authentication with cookies in a .NET + Angular stack?
