@90991173 @b05df304

authentication should be baked into Auth cookie, encrypted, protected

session data should be in local storage and sent when needed as an encrypted object