About JSON Web Tokens (JWT), Cookies, XSRF, XSS and how to get it all right, more or less.