Cookies should not be used to identify users when bearer token is provided
Today, If I authenticate on DjangoLDP instance A in client A, I get two auth means : a cookie sessionid
and a JWT bearer token stored in browser localStorage. If I then authenticate to another DjangoLDP instance B in client B and that instance B is federated with instance A, I start to be in trouble : client B sends bearer token B and cookie A to server A, and server A authenticates me as user A instead of user B.
I think that the session cookie should only be used to first generate the access token, but not in subsequent requests.