Token Authentication vs. Cookies

by

HTTP is stateless. In order to authorize you, you have to “sign” every single request you’re sending to server.

Token authentication

  • A request to the server is signed by a “token” – usually it means setting specific HTTP headers, however, they can be sent in any part of the HTTP request (POST body, etc.)

  • Pros:

  • You can authorize only the requests you wish to authorize. (Cookies – even the authorization cookie are sent for every single request.)

  • Immune to XSRF (Short example of XSRF – I’ll send you a link in email that will look like <img src="http://bank.example?withdraw=1000&to=myself" />, and if you’re logged in via cookie authentication to bank.example, and bank.example doesn’t have any means of XSRF protection, I’ll withdraw money from your account simply by the fact that your browser will trigger an authorized GET request to that url.) Note there are anti forgery measure you can do with cookie-based authentication – but you have to implement those.

  • Cookies are bound to a single domain. A cookie created on the domain foo.example can’t be read by the domain bar.example, while you can send tokens to any domain you like. This is especially useful for single page applications that are consuming multiple services that are requiring authorization – so I can have a web app on the domain myapp.example that can make authorized client-side requests to myservice1.example and to myservice2.example.

  • Cons:

    • You have to store the token somewhere; while cookies are stored “out of the box”. The locations that comes to mind are localStorage (con: the token is persisted even after you close browser window), sessionStorage (pro: the token is discarded after you close browser window, con: opening a link in a new tab will render that tab anonymous) and cookies (Pro: the token is discarded after you close the browser window. If you use a session cookie you will be authenticated when opening a link in a new tab, and you’re immune to XSRF since you’re ignoring the cookie for authentication, you’re just using it as token storage. Con: cookies are sent out for every single request. If this cookie is not marked as https only, you’re open to man in the middle attacks.)

  • It is slightly easier to do XSS attack against token based authentication (i.e. if I’m able to run an injected script on your site, I can steal your token; however, cookie based authentication is not a silver bullet either – while cookies marked as http-only can’t be read by the client, the client can still make requests on your behalf that will automatically include the authorization cookie.)

  • Requests to download a file, which is supposed to work only for authorized users, requires you to use File API. The same request works out of the box for cookie-based authentication.

Cookie authentication

  • A request to the server is always signed in by authorization cookie.
  • Pros:
    • Cookies can be marked as “http-only” which makes them impossible to be read on the client side. This is better for XSS-attack protection.
    • Comes out of the box – you don’t have to implement any code on the client side.
  • Cons:
    • Bound to a single domain. (So if you have a single page application that makes requests to multiple services, you can end up doing crazy stuff like a reverse proxy.)
    • Vulnerable to XSRF. You have to implement extra measures to make your site protected against cross site request forgery.
    • Are sent out for every single request, (even for requests that don’t require authentication).

Overall, I’d say tokens give you better flexibility, (since you’re not bound to single domain). The downside is you have to do quite some coding by yourself.

More Related Contents:

  1. Set cookies for cross origin requests
  2. How does cookie based authentication work?
  3. Why are cookies unrecognized when a link is clicked from an external source (i.e. Excel, Word, etc…)
  4. OWIN – Authentication.SignOut() doesn’t seem to remove the cookie
  5. Sending cookie session id with Swagger 3.0
  6. Authentication filter and servlet for login
  7. PHP Curl And Cookies
  8. How to secure MongoDB with username and password
  9. Error when connect to impala with JDBC under kerberos authrication
  10. SPA best practices for authentication and session management
  11. Socket.IO Authentication
  12. user authentication libraries for node.js?
  13. Forgot Password: what is the best method of implementing a forgot password function?
  14. Authentication with 2 different tables
  15. What if JWT is stolen?
  16. CSRF Token necessary when using Stateless(= Sessionless) Authentication?
  17. Login to website using python
  18. IIS7: Setup Integrated Windows Authentication like in IIS6
  19. CakePHP remember me with Auth
  20. How to use Windows Active Directory Authentication and Identity Based Claims?
  21. How to manually decrypt an ASP.NET Core Authentication cookie?
  22. In Subversion can I be a user other than my login name?
  23. PHP authentication with multiple domains and subdomains
  24. How to use Github Personal Access Token in Jenkins
  25. ASP.NET MVC 3 using Authentication
  26. Customize Authentication – Login Symfony2 Messages
  27. How to use Client Certificate Authentication in iOS App
  28. Trouble getting ClaimsPrincipal populated when using EasyAuth to authenticate against AAD on Azure App Service in a Asp.Net Core web app
  29. How does OpenID authentication work?
  30. Web API 2, OWIN Authentication, SignOut doesn’t logout

Leave a Comment