It doesn't mention any dependency on JS, there's pseudocode in Python to demonstrate generating/using the token.
> but some web apps use JS and sessionStorage on browser to store session token instead of using cookie
This is particularly strange, I've seen that frontend apps do this but I can't understand why because it's error prone and excellent attack vector. It boils down to emulating cookies, having to have some sort of request interceptor that includes the token on every XHR/fetch to serverside and another interceptor that saves updated token on every valid response from serverside. It seems like a misguided attempt to rectify problems that stem from CORS handling or shortsighted design where auth was bolted on as an afterthought.
There are valid use cases and complex interactions between multiple systems where the only solution is client handling of user token.
Also, sessionStorage is a web standard and it is designed to store data to be used in the session. If you think frontend devs shouldn't use it because they are incompetent at handling XSS, then maybe backend devs should also not use databases because they might leave the port open to public internet.
It doesn't mention any dependency on JS, there's pseudocode in Python to demonstrate generating/using the token.
> but some web apps use JS and sessionStorage on browser to store session token instead of using cookie
This is particularly strange, I've seen that frontend apps do this but I can't understand why because it's error prone and excellent attack vector. It boils down to emulating cookies, having to have some sort of request interceptor that includes the token on every XHR/fetch to serverside and another interceptor that saves updated token on every valid response from serverside. It seems like a misguided attempt to rectify problems that stem from CORS handling or shortsighted design where auth was bolted on as an afterthought.