Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

authentication sessionid vs cookie

Tags:

language-agnostic

authentication

session

forms-authentication

I am trying to figure out the pros and cons of using sessionid based authentication vs cookie based authentication

As far as I can see in cookie based authentication

  • User submits a login request sending their credentials
  • The credentials are checked against a database
  • Cookie will be set with the user details
  • This will be done over https and the cookies will be encrypted.
  • In .net if this is the authcookie user identity will be set
  • The db is hit just once and subsequent calls just check the auth cookie

In case of session based authentication

  • User submits a login request sending their credentials
  • The credentials are checked against a database
  • A session id is generated and is also stored in a db
  • Cookie will be set with the user details and a generated session id
  • Subsequent calls will compare the session id against the one in the database
  • The db is hit every time

Questions

Is there any reason to prefer one over the other? Is the cookie based less secure (even if you encrypt and sign them)? Is the performance of session based worse since it hits the database during each call? I have seen several sites leaning one way or the other but could not get a clear picture of what approach to use. Any discussions/suggestions would be greatly appreciated.

like image 441
user275157 Avatar asked Jun 23 '11 12:06

user275157

1 Answers

I'm having a hard time digesting this question. To my knowledge, forms-based authentication comes in two flavors: cookies and cookieless. Cookie-based authentication is preferred.

In the cookie-based version, the user gets a coookie whose value is an encrypted Forms Authentication Ticket. The cookie is encrypted at the server. Unless the encryption key is shared from machine.config or over-written in Web.config, the cookie can only be decrypted by the server that issued it. I believe the encryption is AES, which is very secure.

In the cookieless approach, the payload of the cookie is put in the url using an HTTPModule. This approach is only used when the device does not support cookies (rare). The cookieless approach is not preferred - it makes AJAX more difficult.

See:

http://msdn.microsoft.com/en-us/library/1d3t3c61.aspx

and

http://support.microsoft.com/kb/910443

like image 99
Brett Avatar answered Nov 01 '22 22:11

Brett
Sign in to Comment

Related questions

What are the advantages and disadvantages of the Session Façade Core J2EE Pattern?
How to use jQuery AJAX $.post to store PHP $_SESSION variables?
Tomcat create a new session for every request
How to isolate user sessions in a Java EE?
Large PHP session slowing down web application
Apache ProxyPass and Sessions
Prepend user ID to all log messages in Rails
Continue Browser Session in JNLP
Is there any way to determine the *actual* session save path?
How to maintain user sessions in DropWizard?
Node Express Connect - Session Management
Ruby on Rails sneakily changing nested hash keys from symbols to strings
How to set the expiration time for a cookie managed by Plack::Middleware::Session?
Points about sessions in ASP.NET
Session cookie not expiring When Chrome Browser is closed on smart phones
How to disable session in php?
Laravel 5.2 - How to logout a user from all of his devices
Firebase session expiration
How to get session token when authenticating to JSON REST API (in R)
How to keep last web session active in react-native-webview?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!