DEV Community

loading...

Discussion on: Do you need OAuth/OAuth2/OpenID Connect?

Collapse
antonfrattaroli profile image
Anton Frattaroli

Ah, yeah, seems to be pretty standard in Java stuff, which I avoided because of some experiences with Tomcat. ASP.NET uses a separate auth cookie from the session cookie. Even way back when I was doing PHP, it never occurred to me to lump the auth in with the session.

Sessions have made it on my list of top hated things, I wouldn't use them for anything. But, comparing auth cookie without session vs auth token, tokens look like the better option.