This is bad advice. Cookies should almost always be used in browser session management. This is due to the built-in security advantages that browsers give cookies e.g. HTTP Only. Even if your main auth strategy is using tokens, you should support a cookie wrapper for browser based clients. This is one of the main ways to decrease the attack surface area of XSS vulnerabilities.