Server schemes that expect you to read cookies

[rgrempel]

I think it is probably true that if you control both the client and the server, there is always a way to set things up so that the client code does not have to be aware of cookies.

However, there are some servers which expect the client code to be able to read a cookie. Here is a link to one such scheme, in which the client must read a cookie and send it back in an HTTP header, in order to prove something that helps avoid CSRF attacks.

http://docs.spring.io/spring-security/site/docs/current/reference/html/csrf.html#csrf-cookie

Now, this is not, even in Spring, the only way to structure CSRF protection. So, if you control the server, you can make things work without cookies.

There are, however, cases in which you do not control the server.

Of course, whether this is a compelling use case is a separate question, and I do not have anything interesting to say about that.