Cookies have some excellent security features ("secure" flag, "http" flag to prevent javascript from acesssing it, and "same-site" flag for CSRF prevention on modern browsers).

Don't use other storage mechanisms for storing anything secret. Nothing beats cookies today.