I am currently planning infrastructure for the new project with common backend for web and mobile application. The mobile applications are usually authorised by tokens, not the cookies but I am wondering why? I have few ideas in mind like lack of flexibility in setting and prelonging cookies based authentication, but I want to know the real argument behind tokens.
Cookies don't work perfectly in this case, since they track and verify active sessions. Tokens, meanwhile, provide authentication with a unique identifier on every request to the API endpoints.
Both cookies and localStorage are vulnerable to XSS attacks. However, cookie-based token storage is more likely to mitigate these types of attacks if implemented securely. The OWASP community recommends storing tokens using cookies because of its many secure configuration options.
A mobile app uses technology called a webview to display online content. Cookies are stored within a webview like they are stored in a browser setting. Webview is similar to mobile browsers because it is unique per application, and cannot share cookie information between apps or the device's web browser.
I have some experience with JSON web tokens. So I write about those.
Reason 1:
One concern is application scalability. When you use a cookie it normally goes like this:
So basically you have this overhead of looking up the session ID on every request. Now, this means that all backend servers have to know of the session ID - they share some sort of resource to look up the session ID. The alternative is to come up with some clever request routing, so that each user hits a fixed server where she was authenticated on. So I can't easily introduce a new server.
On the other hand a token like a JSON web token is just a crytographically secured claim, that one was authenticated (and maybe additional claims about the user). It goes like this:
Now, as each server can cryptographically prove that the token was issued by a trusted party (in most cases on of our backend servers), the backend server is sure that the user was authenticated. However, you don't need that shared session storage anymore. So, e.g. it does not matter at all which server a request goes to. This enhances scalability and makes ops a little bit easier.
Reason 2: A cookie is limited in size to 4KB. A token is not limited in size, so it can transport more information (of course a token should be small nevertheless).
Reason 3: Theoretically, you can control in your web app when to send the token. It's not necessary for anyonymous resources. A cookie is sent with each request.
Reason 4: A cookie is issued for one domain. If you access another domain, then you are in trouble. A token on the other hand can be sent to any domain.
Drawback 1:
There's no free lunch, however. A cookie can be protected by the HttpOnly
flag, so that it can't be accessed in Javascript. That makes XSS hard(er). On the other hand this is not possible with tokens.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With