DEV Community

Discussion on: What is really the difference between Cookie, Session and Tokens that nobody is talking about ?.

codingsafari profile image
Nico Braun • Edited on

I said that tokens are encrypted which implies that the client cant "decode" it . Which actually should read "decrypt".
Base64 for example, is encoding. Sha256 which is usually used for json web tokens is encryption.

Also tokens are oftemtimes not sent in a httpOnly cookie header, as this is is for cookies only and is sometimes tricky to use. Many times you will find the token actually in the auth header with the Bearer prefix. Sometimes called bearer token. In fact Oauth2 is using bearer tokens.

Again the client cant decrypt the token so thats not a problem. The issue with storing the token in localStorage for example is not that someone could read the claims, but that someone could take the whole token without really knowing whats inside and still authenticate.

And saying all of this, you have to keep in mind that those tokens were also partwise designed to make the work between services easier. So all those browser concepts dont always apply. Like localStorage or httpOnly cookies.
When using token form your own backend you can just store it in memory for example.

Thread Thread
codingsafari profile image
Nico Braun

I was wrong on one ascpect here. The header and the payload are indeed only encoded. Only the signature is encrypted. So anyone can read the payload.