Authentication : Session id VS Auth Token

Authentication is a key component while building any web Application nowadays. In simple terms, it means validating that the user which is trying to access some resources from our app is allowed to do it or not. Login / Logout of user is one such example.

Nowadays, there are many ways of Authentication of a user, some of the popular ones are :
1. Cookie based authentication
2. Token Based Authentication
3. OAuth 2.0

In this article, we will be comparing two popular methods i.e a comparison between Cookie based authentication and Token based Authentication. So, let’s get started.

Cookie based authentication:
In cookie based authentication, user logins with his/her creds, server verifies them, and if creds are correct then server generates a unique session id for that particular user and stores that mapping of user and session id either in normal database (mongo, sqllite, etc) or maintains record in in-memory databases such as redis.

After receiving the session id from successful login response, the client stores it mostly in form of cookie , and every time the client makes a subsequent api call to server, it attaches the session-id in form of cookie on the request object.

After receiving the request object from client, server verifies it from the mapping and handles the necessary request.

Pros :
1. Easy to implement.
2. Payload size is less while attaching session id in each request.
3. HttpOnly Flag: Session cookies can be created with the HttpOnly flag which secures the cookies from malicious JavaScript code like XSS attack.

Cons :
1. It is stateful. Server have to lookup database each time a request comes, for verifying mapping between a session id and a user and to check whether a session is valid or not.
2. Some security issues can arise if someone gets your session id.
3. While scaling (i.e when number of user increases), it can create a lot of load to backend servers.
4. Cookies are vulnerable/susceptible to CSRF attacks.

Token Based Authentication:
This method is state-less, i.e server does not have to lookup in DB every time a request being hit by the client. Client logins with his/her creds, after successful verification, server generates a token for that particular user. The token itself has all meta data related to that user (i.e it’s permissions, etc) along with other useful info. Mostly developers use JWT (JSON WEB TOKEN). JWT comprises of 3 parts :
1. Header
2. Payload
3. Signature

Header : it usually have info like hashing algorithm used, secret key etc.
header : hashing algo + secret key used + …

Payload : contains meta info of user like it’s access permission, etc.

Signature : signature helps the server to verify that the token is legit-imitate or not.
signature : HASH FUNCTION ( [encode(header) + encode(payload)] , [secret key] )

So, JWT : Header + Payload + Signature

The client upon receiving this token, passes this in headers of each subsequent request. The server upon receiving the request validates the token from headers whether it is legitimate or not.
I have implemented this in a simple flask app. You can check out the project here :
I have used pyjwt python package in the project.

Pros :
1. state-less : the server does not have the head-ache to lookup in DB upon each request. it just have to validate for legitimate token.
2. Scalability : the server can scale well upon increase in number of user.

Cons :
1. XSS: Since the session tokens are stored in the local data storage of the browser and it is accessible to the JS of the same domain. Hence there is no option to secure session identifier from XSS attacks unlike HTTPOnly security flag which is available in the cookie-based authentication.

Hope the above article helped you in understanding two most popular ways of Authenticating a user.

Happy Hacking 🙂




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.