The internet is full of opinions when it comes to implementing authentication and the use of sessions/cookies. We all agree that storing passwords in cookies or setting a value like admin = true is a very bad idea. We also have to deal with the prevention of XSS cookie stealing. (appending document.cookie to an <IMG> element src attribute or whatever)
In many cases we also want to prevent that a 'saved' cookie will successfully authenticate a different client or device when copied.
In your experience, what is the right way to handle authentication? In PHP, JavaScript or whatever language / framework you happen to prefer?
Top comments (3)
I've seen more services using localStorage or progressive webapp magic for sessions. I think this will become more popular.
I have a hard time imagining a post-Javascript internet that still uses cookies.
Would that be a token stored in localStorage that is used for token-based authentication via ajax?
Sure if you need secure access to user information from the server. Alternatively local storage can store or cache data that doesn't need to be secret.
So for example, authenticated user actions might require a token, but some information from secondary indexes might get stored client side to improve performance/reduce lookups.