Alternative to HTTP Cookies?
One of the Fundamental principals of REST, and I mean real REST is not to store state on the server, if there is no state on the server, then there is no need for a cookie to be used as a key to look that state up.
You need secure cookies with cookie prefixes. Cookie prefixes __Secure-* and ___Host-* secure your cookies by ensuring that they are only set by and sent over secure connections preventing cookie sniffing and man-in-the-middle attacks.
For additional security you could force your users to only log in from a whitelist of specific IP addresses.
There are MANY (2021 updated):
I believe the information in this resource from google and/or this link will help you to find alternatives for saving information on the client-side.
Basically... there are currently 4 different ways to store data on client-side without using cookies:
- Local Storage (Session and Local key/value pairs)
- Web SQL (my favorite, it's a whole SQL Database, and it's NOT obsolete)
- IndexedDB (another Database with different structure and acceptance)
- Service Workers (Persistent background processing, even while offline, can asynchronously save files and many other things)
I believe that for your specific need the Local Storage pairs are the easiest solution.