First let us focus on what are cookies..?
Cookies are text formatted files with small piece of data included in it like username and password that are used to identify your system. Such cookies know as HTTP cookies and are used to identify specific user.
Now u might be thinking what are this HTTP cookies??
lets dive into it. HTTP cookies are built specifically for web browsers to track and save each users information about there sessions(sessions are the time you spent on that particular site).Cookies are created to identify you when you visit a new website. The web server stores the website data and sends a short stream to identify info of a web browser.
If a user returns to that site in the future, the web browser returns that data to the web server in the form of a cookie. This is when your browser will send it back to the server to recall data from your previous sessions.
To put it general words, cookies are more likely getting a ticket,
'You wanna a access the service' you pay for it and in return you get token or id for reference. This referral token needs to be stored locally in browser and should get triggered while making service calls which helps server to identify the browser or user info.
If in case you leave or return to the system this cookies helps server to serve the user at last where user has ended his last session.
- The client sends a login request(with credentials) to the server from his device.
- The server then validates the credentials. If the credentials are correct login is successful, the web server will create a session in the database.
- This session ID is stored in a cookie on the user's browser and while the user is logged in the cookie is sent with every subsequent request.
- At each request the server takes a look at the cookie to read the session id. If it matches the data stored in its memory it sends the response back.
- If in case the logout request takes place the server will make the cookie expire by deleting it from the database.
Now lets us have a look in Token-Based-Authentication:
Here, we store the user's data on the client side itself. This is achieved with JSON Web Token(JWT). It is a standard and a secure way of transmitting information between client and server in the form of JSON.
now lets dive into JWT.
JWT has three forms of data and is separated by dot(.)
- First section is know as header it consist of algorithm and type.
- Second section consist of payload and it consist of user information.
- Third section consist of encrypted signature.
This is what sample token looks like :
- The user submits login credentials.
- On receiving the request the server verifies the credentials and generates an encrypted JWT with a secret and sends back to the client.
- On client side the browser stores the token locally(in local storage, session storage or cookie storage).
- On future requests the token is added to the authorization header and then its server duty to decode the token before proceeding the request this check is basically know as middleware authentication.
- If in case the logout request takes place the token gets deleted without any server interaction.
- Cryptographic Signature: JSON web tokens have cryptographic signatures, and that’s not the case with session cookies.
- Stateless: JSON web tokens are stateless because tokens are stored at client-side in local storage, rather than in the server memory.
- Scalability: As session cookies are stored in the server’s memory, it has the potential of using a lot more resources if the website or app sees a lot of traffic though JSON web tokens are stateless, they can potentially save on server resources in many cases.
JSON web tokens and session cookies both offer secure user authentication, but they have key differences that make them suitable in varying situations. Hope you find it useful and learned something new from it.