Spring Security - REST API - token vs. cookie

Question

I have written a REST- API in Java and I have secured this API with Spring Security. The procedure is like this:

1. Frontend invokes /login RestService in Backend
2. Backend gives back token to frontend
3. at each REST- API Backend invokation the token has to be placed in header

This works fine, but I have read that it is also possible (with Node.JS/Passport.js/Express.js) that the session object with the cookie inside can be transfered out of the box without any custom code.

My question now would be if there is a better approach so that the frontend/client do not need to set the token into the header all the time for any request.

Answer 1

Usually token based authentication has advantages over cookie based.

You can achieve this using middle-ware layer

Here is a good Post - https://auth0.com/blog/2014/01/07/angularjs-authentication-with-cookies-vs-token/