>"when subsequent calls are made to the QuickBase without passing the Ticket ,still we get the desired output "I am not sure you are making the "subsequent calls" through postman or a browser or using some other user agent. The ticket is sent as a "
httponly cookie" from the browser context meaning it cannot be accessed through client-side script and is sent to the server encrypted. The
ticket does not appear in the URL or post body as it is sent as a secure
httponly cookie in the header automatically. There is
no security concern. QuickBase's security is very good and you are far more likely to have a user misplace or share their password or commit some other human error than to have someone steal your cookies.
What is httponly cookie?HttpOnly is a flag added to cookies that tell the browser not to display the cookie through client-side scripts (document.cookie and others). The agenda behind HttpOnly is not to spill out cookies when an XSS flaw exists, as a hacker might be able to run their script but the fundamental benefit of having an XSS vulnerability (the ability steal cookies and hijack a currently established session) is lost.https://latesthackingnews.com/2017/07/03/what-is-httponly-cookie/