An introduction authentication

When dealing with sensitive information or paywalled content in an application, having safe client-server communication is key. Certain things require limited access. This is usually achieved by passing some credentials, and we can refer to this use of credentialing as "authentication".

More precisely, we can define authentication as the following:

Authentication is the process of exchanging user credentials for a piece of unique identification.

There are several possible ways to authenticate a user in your application, and they all come with their own pros and cons, depending on what you want to achieve.

In this tutorial, we'll compare two of the most commonly used authentication types, list their pros and cons, and point out their use cases.

Cookie based authentication

Cookie-based authentication is primary used in web browsers and applications. In this method, the client (from the client-server model) gets a cookie from the server, which is then stored in the browser's local storage. In further communication with the server, the client's browser will send that cookie with each request to verify that requests come from the same user, and keep the user authenticated.

This type of authentication uses HTTP cookies to authenticate client requests and maintain session (while the user is logged in) information on the server over the stateless HTTP protocol. As you might know, there are different types of cookies, and the one used in cookie-based authentication is a session cookie, which means it is only kept during the current session.

To better understand this, we will define the five steps that happen during this type of authentication:

The actual cookie

The cookie itself can have many properties, such as expiry date, domain, etc. It will be received as a header in the HTTP response, called Set-Cookie, and it may look something like this:

1HTTP/2.0 200 OK  
2Content-Type: text/html  
3Set-Cookie: <cookie-name>=<cookie-value>  
4Set-Cookie: <cookie-name>=<cookie-value>; Expires=<date>  
5Set-Cookie: <cookie-name>=<cookie-value>; Max-Age=<number>  
6Set-Cookie: <cookie-name>=<cookie-value>; Domain=<domain>  
7Set-Cookie: <cookie-name>=<cookie-value>; Path=<path>  
8Set-Cookie: <cookie-name>=<cookie-value>; Secure  
9Set-Cookie: <cookie-name>=<cookie-value>; HttpOnly  
10  
11[page content]

Some of the advantages of cookie-based authentication include:

• It is a fully automated process: the browser will take care of cookie handling, and it will automatically add the cookies for all the requests
• It makes your application stateful, which is useful in tracking and personalizing the state of a user
• Cookies prevent/reduce manipulation by client-side JavaScript
• Cookies are small in size and easy to store
• It can store additional data for user personalization, access control, etc.

However, there are also a few disadvantages of this type of authentication:

• It is vulnerable to Cross-site request forgery attacks - it often needs other security measures such as CSRF tokens for protection
• The cookie is sent on every request, even with the URLs that do not need authentication
• Cookies only work on a single domain unless you specially configure it
• For mobile apps, it is difficult to manage the cookies, so it is more suitable for web clients

Token-based authentication

Token-based authentication requires more manual setup than the cookie-based one, but it often can be used to overcome the shortcomings of the cookie-based approach.

In this type of authentication, the server verifies the user's credentials and sends back an encrypted token to the browser, where it is stored and can be added as an authorization header for the subsequent requests.

There are several unique approaches and implementations of token-based authentication. But for the purposes of this tutorial, we are going to give an example of the implementation of JWT (JSON Web Token). The token is generally sent as an addition Authorization header in the form of Bearer {JWT}, but can additionally be sent in the body of a POST request or even as a query parameter.

We can say there are four main steps in this approach:

The jwt.io website can be used to parse the JWT token information, and for encoding or decoding tokens to test.

The anatomy of a JWT token consists of three parts separated by dots. These parts include the header, the payload, and its signature respectively in the format header.payload.signature.

1eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

If we use the jwt.io website to decode this token, this is the information we would get:

Header - algorithm and token type

1{
2 "alg": "HS256",
3 "typ": "JWT"
4}

Payload data

1{
2 "sub": "1234567890",
3 "name": "John Doe",
4 "iat": 1516239022
5}

Verify signature

1HMACSHA256(
2  base64UrlEncode(header) + "." +
3  base64UrlEncode(payload),
4)

There are a few significant advantages to using token-based authentication:

• Stateless, Scalable, and Decoupled: each token is self-contained, containing all the data required to check its validity
• You can store additional data in the token itself - for example, roles, access privileges, and other data, as long as it is valid JSON data
• Mobile ready - tokens are easy to implement in mobile and IoT applications
• Easy to maintain
• A token-based authentication approach with CORS enabled makes it easy to expose APIs to different services and domains

When it comes to disadvantages however, these are the ones to consider:

• JWT tokens can be large in size
• If the token is placed in the browser's local storage it can be prone to XSS attacks
• Tokens cannot be used to authenticate a user in the background on the server since no session exists on the database level

Which approach to choose?

Choosing the right approach for authentication varies based on the needs of the system. Both cookie-based and token-based approaches are not 100% perfect, but we can give you some insights on how to make the right choice for your project.

Choose token-based authentication when:

• You need to use different domains of the system
• When an API is used by different platforms (web, mobile, IoT)

Choose cookie-based authentication when:

• The user profile can be personalized
• The site needs to track analytics data
• When you do not want the user to log in every time they leave the site

One Pager Cheat Sheet

• Authentication is the process of exchanging user credentials for a unique identification, and this tutorial will compare two of the most commonly used authentication types and list their pros and cons.
• Cookie-based authentication uses a session cookie stored in the browser's local storage to verify and maintain a user session over a stateless HTTP protocol.
• Cookie-based authentication uses HTTP cookies to maintain session information and authenticate client requests over the stateless HTTP protocol, utilizing the Set-Cookie response header to remember user information.
• Cookie-based authentication provides fully automated and stateful convenience, but can be susceptible to certain security risks if not used appropriately.
• Cookie-based authentication makes the application stateful, providing personalization and access control, but rendering it vulnerable to CSRF attacks, thus disadvantaging it.
• Token-based authentication utilizing JWT (JSON Web Token) involves four steps including creating an encrypted token, adding it as an authorization header, decoding the token via jwt.io, and verifying its signature.
• JWT is the most popular and widely used type of token authentication due to its secure transmission of data, self-contained features, and ease of use, flexibility, and security.
• Token-based authentication can provide a stateless, scalable and decoupled authentication solution with additional data storage capabilities, as well as being mobile-ready; however, it can be susceptible to XSS attacks, token size can be an issue, and tokens cannot authenticate a user in the background on the server.
• JWT stands for JSON Web Token and is an open standard that enables the secure transmission of valid JSON data, allowing for the inclusion of customized data in the token itself.
• We can choose between cookie-based or token-based authentication, depending on if we need user profiles to be personalized, track analytics, or make use of different domains & platforms.