Learn about the security features of cookies and how Corbado’s session management makes use of them.
Type | Name | Value | Path | Attributes | Default duration |
---|---|---|---|---|---|
session-token | cbo_session_token | JWT | Application URL | secure sameSite=lax | 5 mins |
refresh-token | cbo_refresh_token | Opaque string | Frontend API | httpOnly secure sameSite=lax | 1 day |
secure
flag, which ensures that they can only be accessed on secure internet connections.
The properties of httpOnly
and sameSite
will be explained in the following sections on XSS protection and CSRF protection, respectively. These sections provide further details on how these properties contribute to safeguarding against specific types of attacks.