An introduction authentication
When dealing with sensitive information or paywalled content in an application, having safe client-server communication is key. Certain things require limited access. This is usually achieved by passing some credentials, and we can refer to this use of credentialing as "authentication"
.
More precisely, we can define authentication as the following:
Authentication is the process of exchanging user credentials for a piece of unique identification.
There are several possible ways to authenticate a user in your application, and they all come with their own pros and cons, depending on what you want to achieve.
In this tutorial, we'll compare two of the most commonly used authentication types, list their pros and cons, and point out their use cases.
Let's test your knowledge. Is this statement true or false?
The cookie based authentication works through the HTTP protocol.
Press true if you believe the statement is correct, or false otherwise.
Try this exercise. Click the correct answer from the options.
Which of the following is not an advantage of cookie-based authentication?
Click the option that best answers the question.
- Small size
- Makes the app stateless
- Fully automated process
Token-based authentication
Token-based authentication requires more manual setup than the cookie-based one, but it often can be used to overcome the shortcomings of the cookie-based approach.
In this type of authentication, the server verifies the user's credentials and sends back an encrypted token
to the browser, where it is stored and can be added as an authorization
header for the subsequent requests.
There are several unique approaches and implementations of token-based authentication. But for the purposes of this tutorial, we are going to give an example of the implementation of JWT (JSON Web Token)
. The token is generally sent as an addition Authorization header in the form of Bearer {JWT}
, but can additionally be sent in the body of a POST request or even as a query parameter.
We can say there are four main steps in this approach:

The jwt.io website can be used to parse the JWT token information, and for encoding or decoding tokens to test.
The anatomy of a JWT token consists of three parts separated by dots. These parts include the header, the payload, and its signature respectively in the format header.payload.signature
.
1eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
If we use the jwt.io website to decode this token, this is the information we would get:
Header - algorithm and token type
1{
2 "alg": "HS256",
3 "typ": "JWT"
4}
Payload data
1{
2 "sub": "1234567890",
3 "name": "John Doe",
4 "iat": 1516239022
5}
Verify signature
1HMACSHA256(
2 base64UrlEncode(header) + "." +
3 base64UrlEncode(payload),
4)
Let's test your knowledge. Fill in the missing part by typing it in.
The most popular and widely used type of token authentication is:
Write the missing line below.
There are a few significant advantages to using token-based authentication:
Stateless
,Scalable
, andDecoupled
: each token is self-contained, containing all the data required to check its validity- You can store additional data in the token itself - for example, roles, access privileges, and other data, as long as it is valid JSON data
- Mobile ready - tokens are easy to implement in mobile and IoT applications
- Easy to maintain
- A token-based authentication approach with CORS enabled makes it easy to expose APIs to different services and domains
When it comes to disadvantages however, these are the ones to consider:
- JWT tokens can be large in size
- If the token is placed in the browser's local storage it can be prone to XSS attacks
- Tokens cannot be used to authenticate a user in the background on the server since no session exists on the database level
Are you sure you're getting this? Is this statement true or false?
JWT tokens cannot hold customized data
Press true if you believe the statement is correct, or false otherwise.
Which approach to choose?
Choosing the right approach for authentication varies based on the needs of the system. Both cookie-based and token-based approaches are not 100% perfect, but we can give you some insights on how to make the right choice for your project.
Choose token-based authentication when:
- You need to use different domains of the system
- When an API is used by different platforms (web, mobile, IoT)
Choose cookie-based authentication when:
- The user profile can be personalized
- The site needs to track analytics data
- When you do not want the user to log in every time they leave the site
One Pager Cheat Sheet
- Authentication is the process of exchanging user credentials for a
unique identification
, and this tutorial will compare two of the most commonly used authentication types and list their pros and cons. - Cookie-based authentication uses a
session cookie
stored in the browser's local storage to verify and maintain a user session over a stateless HTTP protocol. - Cookie-based authentication uses HTTP cookies to maintain session information and authenticate client requests over the
stateless HTTP protocol
, utilizing theSet-Cookie
responseheader
to remember user information. - Cookie-based authentication provides
fully automated
andstateful
convenience, but can be susceptible to certainsecurity risks
if not used appropriately. - Cookie-based authentication
makes the application stateful
, providing personalization and access control, but rendering it vulnerable toCSRF
attacks, thus disadvantaging it. - Token-based authentication utilizing
JWT (JSON Web Token)
involves four steps including creating an encrypted token, adding it as an authorization header, decoding the token viajwt.io
, and verifying its signature. - JWT is the most popular and widely used type of token authentication due to its secure transmission of data, self-contained features, and
ease of use
,flexibility
, andsecurity
. - Token-based authentication can provide a
stateless
,scalable
anddecoupled
authentication solution with additional data storage capabilities, as well as being mobile-ready; however, it can be susceptible to XSS attacks, token size can be an issue, and tokens cannot authenticate a user in the background on the server. - JWT stands for
JSON Web Token
and is anopen standard
that enables the secure transmission of valid JSON data, allowing for the inclusion of customized data in the token itself. - We can choose between cookie-based or token-based authentication, depending on if we need user profiles to be personalized, track analytics, or make use of different domains & platforms.