Background:
I am developing a web application, planned to use spring-mvc and spring security. My plan is to use form based authentication where spring security authenticates credentials and sets a session JSESSIONID so that subsequent requests would be authenticated based on the cookie present in request header.
My understanding:
Web applications requests should have state. This state can be accomplished by using the session.
Purely session based authentication are vulnerable to CSRF attacks. As spring security provides CSRF protection, i didn't find any security loop holes using session + CSRF protection.
access-tokens are only used to give access to APIs which has been exposed for third party applications.
My Question:
But when i see lot of questions in this site, people are using token(OAuth2/JWT) based authentication for web application. But what i believed is tokens are only used to give access to APIs.
But when i see people using tokens for web applications i just got this question. Assuming token based web applications does not uses session but expects token in the header of every request.
When we should go for token based authentication in web application.
As far as security is concerned, which one is good? Session + CSRF or token based authentication.
I am confused with use cases of token and session.
EDIT:
Most often, it depends on your clients.
For example, for mobile clients (e.g.JSONpayload overHTTP), there is no such thing as aSession.JWThas the advantage to workcross-origin. In contrast, a Session-based auth method withCookiesworks only for the same (Sub)-domain) and scales not that well.
However, it is easier to invalidate aSessionthan aJWT. Since you anyway useSpring-MVCand i guess scalability is not critical, just go with the one you are more comfortable.
conclusion: Session supports requests only from same origin, token based authentication preferred for authenticating cross origin requests.
Most often, it depends on your clients. For example, for mobile clients (e.g. JSON payload over HTTP), there is no such thing as a Session.
JWT
Session
Other approaches: Open Source Identity Providers like Keycloak with e.g. traefik as load balancer have become quite popular. This brings the advantage, that new routes can go live without restarting any service. Also, in some cases, it saves application downtime caused due to an excessive rate of API calls.
To conclude: Many roads lead to Rome. It always depends on the specific requirements, the environment and the skills of the team. Since you anyway use Spring MVC and I guess scalability is not critical, just go with the one you are more comfortable..
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With