Link-post today, the Meteor blog has a very interesting post about why Meteor has so-far avoided session cookies in favor of localStorage, including a high-level but nevertheless useful overview of issues with session cookies. Useful read for the security-minded, including an interesting suggestion near the end of a "both and" approach.