Auth

Session-based Authentication -

Server does all the heavy lifting server-side => A record is created for each logged-in user.
A client authenticates with its credentials and receives a session_id(cookie).
session_id is an identifier.
bad scale-ability

Token-based Authentication -

no session is persisted server-side (stateless). => it does not store anything on the server but creates a unique encoded token that gets checked every time a request is made.
a token which is attached to every subsequent request.
a string with all the necessary information is issued (the token)

Benefits of token-based authentication

Cross-domain / CORS

A token-based approach allows you to make AJAX calls to any server, on any domain.

Stateless

Tokens are stateless. There is no need to keep a session store, since the token is a self-contained entity that stores all the user information in it.

CSRF (Cross Site Request Forgery)

Because the application does not rely on cookies for authentication, it is invulnerable cross site request attacks.

Performance

In terms of server-side load, a network roundtrip (e.g. finding a session on database) is likely to take more time than calculating an HMACSHA256 code to validate a token and parsing its contents, making token-based authentication faster than the traditional alternative.

Previousrvm / ENV NextDB related

Last updated 5 years ago

Was this helpful?

Session-based Authentication -

Server does all the heavy lifting server-side => A record is created for each logged-in user.
A client authenticates with its credentials and receives a session_id(cookie).
session_id is an identifier.
bad scale-ability

Token-based Authentication -

no session is persisted server-side (stateless). => it does not store anything on the server but creates a unique encoded token that gets checked every time a request is made.
a token which is attached to every subsequent request.
a string with all the necessary information is issued (the token)

Benefits of token-based authentication

Cross-domain / CORS

A token-based approach allows you to make AJAX calls to any server, on any domain.

Stateless

Tokens are stateless. There is no need to keep a session store, since the token is a self-contained entity that stores all the user information in it.

CSRF (Cross Site Request Forgery)

Because the application does not rely on cookies for authentication, it is invulnerable cross site request attacks.

Performance

In terms of server-side load, a network roundtrip (e.g. finding a session on database) is likely to take more time than calculating an HMACSHA256 code to validate a token and parsing its contents, making token-based authentication faster than the traditional alternative.

https://security.stackexchange.com/questions/81756/session-authentication-vs-token-authentication

https://www.pluralsight.com/guides/ruby-ruby-on-rails/token-based-authentication-with-ruby-on-rails-5-api