According to this (on youtube) conference, we should not use Cookie authentication for Web Api, because in case there are multiple servers on the same domain, there is a possibility for CSRF attack.
He says the following: "we should instead use JWT Bearer tokens"
How exactly using JWT token authentication solves this problem?
EDIT
This sheds some more light on what is going on.
As i understand there are two ways of mitigating CSRF:
Put tokens into Authentication header instead of cookie and store tokens in localStorage. This way they do not get attached if sent by some rogue form as described in the article above. JWT tokens are put into Authentication header?
Another way, as i understand, works by using hidden input field to add antiforgery token. This can be turned on easily in Razor and is supported in Angular. But what about React? This way we can stick with standart Cookie authentication for Web Api? Can we do it in React? Is there any example?
But what about sharing domains, as described in article above? Is there any risk of another app on the shared domain to obtain authentication token or cookie?
