> (this is not possible with client-side JavaScript).

I’ll read about HEIST once I find some time, thanks for the pointer.

Regarding the kind of attack I was referring to, it’s about session stealing by guessing the full cookie. But as I said, even if you’re able to steal the cookie, this is not about CSRF. You don’t even need CSRF if you already have a valid cookie.

Like what you read? Give Rodrigo Rosenfeld Rosas a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.