i've read lately that storing JWT tokens in the localStorage is considered a bad practice, you can easily implement set-cookie headers on the server side with httpOnly flag, to prevent XSS, but with it, the client side javascript has no knowledge of previous actions by the User (like a succesful Login), how is it possible to implement Auto-Login feature without the use of localStorage? bind the JWT token to a specific IP-address?
We have an NGINX server over https, which serves the static React SPA files, and also talks with the express backend. i'm really clueless with this.
