Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

authentication sessionid vs cookie

I am trying to figure out the pros and cons of using sessionid based authentication vs cookie based authentication

As far as I can see in cookie based authentication

  • User submits a login request sending their credentials
  • The credentials are checked against a database
  • Cookie will be set with the user details
  • This will be done over https and the cookies will be encrypted.
  • In .net if this is the authcookie user identity will be set
  • The db is hit just once and subsequent calls just check the auth cookie

In case of session based authentication

  • User submits a login request sending their credentials
  • The credentials are checked against a database
  • A session id is generated and is also stored in a db
  • Cookie will be set with the user details and a generated session id
  • Subsequent calls will compare the session id against the one in the database
  • The db is hit every time

Questions

Is there any reason to prefer one over the other? Is the cookie based less secure (even if you encrypt and sign them)? Is the performance of session based worse since it hits the database during each call? I have seen several sites leaning one way or the other but could not get a clear picture of what approach to use. Any discussions/suggestions would be greatly appreciated.

like image 441
user275157 Avatar asked Jun 23 '11 12:06

user275157


1 Answers

I'm having a hard time digesting this question. To my knowledge, forms-based authentication comes in two flavors: cookies and cookieless. Cookie-based authentication is preferred.

In the cookie-based version, the user gets a coookie whose value is an encrypted Forms Authentication Ticket. The cookie is encrypted at the server. Unless the encryption key is shared from machine.config or over-written in Web.config, the cookie can only be decrypted by the server that issued it. I believe the encryption is AES, which is very secure.

In the cookieless approach, the payload of the cookie is put in the url using an HTTPModule. This approach is only used when the device does not support cookies (rare). The cookieless approach is not preferred - it makes AJAX more difficult.

See:

http://msdn.microsoft.com/en-us/library/1d3t3c61.aspx

and

http://support.microsoft.com/kb/910443

like image 99
Brett Avatar answered Nov 01 '22 22:11

Brett