Cookie based authentication

Cookie-based authentication is primary used in web browsers and applications. In this method, the client (from the client-server model) gets a cookie from the server, which is then stored in the browser's local storage. In further communication with the server, the client's browser will send that cookie with each request to verify that requests come from the same user, and keep the user authenticated.

This type of authentication uses HTTP cookies to authenticate client requests and maintain session (while the user is logged in) information on the server over the stateless HTTP protocol. As you might know, there are different types of cookies, and the one used in cookie-based authentication is a session cookie, which means it is only kept during the current session.

To better understand this, we will define the five steps that happen during this type of authentication:

The actual cookie

The cookie itself can have many properties, such as expiry date, domain, etc. It will be received as a header in the HTTP response, called Set-Cookie, and it may look something like this:

1HTTP/2.0 200 OK  
2Content-Type: text/html  
3Set-Cookie: <cookie-name>=<cookie-value>  
4Set-Cookie: <cookie-name>=<cookie-value>; Expires=<date>  
5Set-Cookie: <cookie-name>=<cookie-value>; Max-Age=<number>  
6Set-Cookie: <cookie-name>=<cookie-value>; Domain=<domain>  
7Set-Cookie: <cookie-name>=<cookie-value>; Path=<path>  
8Set-Cookie: <cookie-name>=<cookie-value>; Secure  
9Set-Cookie: <cookie-name>=<cookie-value>; HttpOnly  
10  
11[page content]