Both use cookies, the point is what will that cookie contain:
Plug.Session.COOKIE will store all informations about session will be stored directly in cookie
Plug.Session.ETS will create local ETS table that will contain informations about session and cookie will contain only pointer to session in that table.
DO NOT LISTEN TO THEM, cookie is the best and most secure way to store session ID, especially when you set :http_only flag. This will cause your cookie to be not available via document.cookie, which will make it completely secure against leaking session via XSS.
It should not be used. Window.sessonStorage has exactly the same problems as Window.localStorage and should never be used to store confidential data. These mechanisms are thought as a cache mechanisms that are user-controlled.
This will work for me because I’m using sockets. Since the flag is a logical switch on the client side, there is still the issue using xhr/soap/xhttp/whater you want to call it has the cookie sent unencrypted in the header of every put,post,get,head and delete headers. Granted, a normal web user wouldn’t have access to that, but it doesn’t mean that there are not people potentially packet inspecting the connection either…
Headers are sent encrypted as well in HTTPS connections, so that would is no problem. Additionally, even if you would store token in Window.sessionStorage or Window.localSotrage you would send the token/sessionID via header anyway.