HackMD - Collaborative Markdown Knowledge Base

## Stateless vs stateful authentication ![](https://media.giphy.com/media/7u7YHG3cmQzTy/giphy.gif) --- ## Introduction -H The default behaviour of HTTP is stateless - each request is unaware of any previous actions, e.g. previous logins. We need authentication to tell the server we are already logged in. --- ### Session-based Authentication (session cookies) -V - Authentication is done server-side. - The session id is stored in a cookie that is returned every time. 🍪 - Session id is randomely generated (so hard to guess). - The server has to look up the session id every time. - Session id only lasts for duration of the session (i.e. until you logout). --- ![image alt](https://i.imgur.com/cGa7eQn.png) --- ## Token-based Authentication a.k.a JWT Authentication a.k.a Bearer Tokens -R ![](https://media.giphy.com/media/eNuodeoJ9kM8pWwZMq/giphy.gif =400x) --- ### Digital signatures - R ![](https://i.imgur.com/RAWrWnK.png) --- ### Token-based Authentication - R - Authentication is done server-side - The server returns a 'token' (a string generated by server). - At minimum this identifies the user and how long they are authenticated for. - It can also include arbitrary data in this token. - This token is digitally signed so the server knows it can trust it when it sees it again. - The client sends this token via JS when needs a resource --- ### JWT (JSON Web Token) (A) User data is digitally signed into a JWT with a secret. It is stored on the client side and sent as a header for subsequent requests. It looks like this: ``` headers:{ "Authorization": "Bearer ${JWT_TOKEN}" } ``` The server receives this JWT and validates it before sending the response to the client. --- (A) ![image alt](https://i.imgur.com/OCD5AJB.png =400x) --- ### Advantages of Session-based (stateful) authentication -H ![](https://media.giphy.com/media/c20UV66B7zCWA/giphy.gif) --- ### Disdvantages of Session-based (stateful) authentication -H ![](https://media.giphy.com/media/l4Ep2qYRfpVFIUVDa/giphy.gif) --- ### Scalability 📈 -V - Sessions are stored server side. - This uses resources which costs money and don't scale e.g. databases 💸 --- ### Security 🔐 -H - CSRF relies on session cookies. If you run malicious JS code it may be able to make harmful requests to other sites your browser is logged into. - XSS can be used to steal cookies and those cookies used to impersonate the user. - Cookies are client side, so can be changed by the user/cannot be trusted by server. - Cookies + CORS don't play well across different domains. --- ### Advantages of Token-based (stateless) authentication? - R - A token based approach allows you to make AJAX calls to any server - We are using HHTP header to transmit the user informtion - Doesn't have problems with "same origin policy" / CORS - Scales well. Doesn't need server to store sessions so reduces load on database/memory. - Tokens can be generated and authenticated in different places. - Very granular control of permissions --- ### Disadvantages of Token-based (stateless) authentication? (A) - More user data is stored in JWT compared with the session ids in cookies - Only the necessary information should be stored to control the size - Sensitive information should be omitted from the JWT to prevent XSS security attacks. --- ### Resources 📖 - V [JSON Web Tokens vs Session Cookies: In Practice](https://ponyfoo.com/articles/json-web-tokens-vs-session-cookies) [What really is the difference between session and token based authentication](https://dev.to/thecodearcher/what-really-is-the-difference-between-session-and-token-based-authentication-2o39)