Added RubenVerborgh explanation

My previous explanation was wrong

Author: megoth

lib/create-app.js

@@ -213,8 +213,18 @@ function initWebId (argv, app, ldp) {
     // TODO: remove this exception when OIDC clients
     // use Bearer token to authenticate instead of cookie
     // (https://github.com/solid/node-solid-server/pull/835#issuecomment-426429003)
-    // We only want to do this check if strictOrigin is set to false, since we trust WebACL to handle origins otherwise
-    // If we don't allow authentication with cookies we can't handle ACLs properly wrt trusted origins
+    //
+    // Authentication cookies are an optimization:
+    // instead of going through the process of
+    // fully validating authentication on every request,
+    // we go through this process once,
+    // and store its successful result in a cookie
+    // that will be reused upon the next request.
+    // However, that cookie can then be sent by any server,
+    // even servers that have not gone through the proper authentication mechanism.
+    // However, if trusted origins are enabled,
+    // then any origin is allowed to take the shortcut route,
+    // since malicious origins will be banned at the ACL checking phase.
     // https://github.com/solid/node-solid-server/issues/1117
     if (!argv.strictOrigin && !argv.host.allowsSessionFor(userId, origin, trustedOrigins) && !isLogoutRequest(req)) {
       debug.authentication(`Rejecting session for ${userId} from ${origin}`)