The two most common types of authentication are session cookies and tokens.
Session Cookies
- Session Cookies are small data stored both on the server and the client.
- The server often keeps track of sessions in a database or memory.
- A browser controls cookies on the client side. They're included with every request.
- Session cookies are stateful.
- Each session has a unique ID that the server uses to identify the current user and all the information related to that user.
- Cookies allow a domain and its subdomains to exchange information.
- Sharing cookie information with another domain is not possible.
- You can use the "HttpOnly" setting to prevent JavaScript tampering on client sites.
- Remember that only HTTPS connections are secure for cookies. The "Secure" flag can be used for this reason. It ensures that cookies will be sent only if the connection type is HTTPS.
Tokens
- In essence, tokens are a collection of letters and numbers.
- Tokens have no state. It implies that no information about the token needs to be stored on the server.
- The tokens stand alone. This signifies that the token has all the data needed for server-side verification.
- Since no database searches are necessary, they are appropriate for API authentication.
- Tokens are incredibly adaptable and work with multiple platforms.
- Additionally, there is nothing like domain restriction. Tokens can be transferred between various domains. Because they are self-contained, they are larger in size than cookies.