Use jwt auth http Only is a secure cookie, the MOST secure type of session. Set the token manually is not secure because you can read it by JS. You dont need to manage the token on client, Only set credentials: 'include' in all your requests and set the correct domain in cors.php. if u can, use Always https