Here are some additional steps you can take to mitigate the issues you've described:
1. Token Expiration and Refresh: Implement token expiration and refresh mechanisms. This involves setting an expiration time for tokens (e.g., idToken, accessToken) and periodically refreshing them. When a token expires, the user will need to reauthenticate to obtain a new token.
2. Token Validation: Ensure that tokens are validated on the server side before granting access to sensitive resources. This includes verifying the signature, issuer, and expiration time of the token. Do not solely rely on the presence of a token in the cookie to determine authentication status. Implement AuthCheckerServlet as described on https://experienceleague.adobe.com/docs/experience-manager-dispatcher/using/configuring/permissions-cache.html?lang=en. The Servlet should validate the token, before providing access
3. Revocation: Implement token revocation mechanisms to invalidate tokens when a user logs out or their session expires. This can be achieved by maintaining a blacklist of revoked tokens on the server side.
4. Use HTTPS: Ensure that your application is served over HTTPS to encrypt the communication between the client and server, reducing the risk of man-in-the-middle attacks.
5. Secure Token Storage: Store tokens securely on the client side using techniques such as HttpOnly and Secure flags, as you've already done. Additionally, consider encrypting sensitive token data stored on the client side.