Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why mobile apps are usually authenticated via token, not cookies

Tags:

authentication

architecture

cookies

token

I am currently planning infrastructure for the new project with common backend for web and mobile application. The mobile applications are usually authorised by tokens, not the cookies but I am wondering why? I have few ideas in mind like lack of flexibility in setting and prelonging cookies based authentication, but I want to know the real argument behind tokens.

like image 911
kulak Avatar asked Jan 04 '16 14:01

kulak

People also ask

Why should we choose token based authentication instead of cookie based?

Cookies don't work perfectly in this case, since they track and verify active sessions. Tokens, meanwhile, provide authentication with a unique identifier on every request to the API endpoints.

Are tokens more secure than cookies?

Both cookies and localStorage are vulnerable to XSS attacks. However, cookie-based token storage is more likely to mitigate these types of attacks if implemented securely. The OWASP community recommends storing tokens using cookies because of its many secure configuration options.

Does mobile application have cookies?

A mobile app uses technology called a webview to display online content. Cookies are stored within a webview like they are stored in a browser setting. Webview is similar to mobile browsers because it is unique per application, and cannot share cookie information between apps or the device's web browser.

1 Answers

I have some experience with JSON web tokens. So I write about those.

Reason 1:

One concern is application scalability. When you use a cookie it normally goes like this:

  1. User logs in. Cookie is issued with the session ID in it. The session ID is persisted in a shared session store in the backend. Cookie is stored in browser.
  2. Cookie is presented at each request. The backend takes the session ID from the cookie and checks in some sort of database if the session ID is known.

So basically you have this overhead of looking up the session ID on every request. Now, this means that all backend servers have to know of the session ID - they share some sort of resource to look up the session ID. The alternative is to come up with some clever request routing, so that each user hits a fixed server where she was authenticated on. So I can't easily introduce a new server.

On the other hand a token like a JSON web token is just a crytographically secured claim, that one was authenticated (and maybe additional claims about the user). It goes like this:

  1. User logs in. Token is issued that proves that claims that the user was authenticated (+ optional user info). The token is cryptographically signed by the issuer.
  2. The token is presented at each request. As it is signed, we can detect if the token is valid and unaltered. Also we can say who has issued the token.

Now, as each server can cryptographically prove that the token was issued by a trusted party (in most cases on of our backend servers), the backend server is sure that the user was authenticated. However, you don't need that shared session storage anymore. So, e.g. it does not matter at all which server a request goes to. This enhances scalability and makes ops a little bit easier.

Reason 2: A cookie is limited in size to 4KB. A token is not limited in size, so it can transport more information (of course a token should be small nevertheless).

Reason 3: Theoretically, you can control in your web app when to send the token. It's not necessary for anyonymous resources. A cookie is sent with each request.

Reason 4: A cookie is issued for one domain. If you access another domain, then you are in trouble. A token on the other hand can be sent to any domain.

Drawback 1: There's no free lunch, however. A cookie can be protected by the HttpOnly flag, so that it can't be accessed in Javascript. That makes XSS hard(er). On the other hand this is not possible with tokens.

like image 140
spa Avatar answered Nov 09 '22 01:11

spa
Sign in to Comment

Related questions

Restrict access to static website hosted on azure storage to intended users
Authentication tips using NTAG 424 DNA TT
ASP.NET Core - getting a message back from AuthenticationHandler
Windows Authentication prompts for username/password
Storing password in tables and Digest authentication
CAS authentication and redirects with jQuery AJAX
Spring Security : Bypass login form
_netrc/.netrc alternative to cURL
How can I access an Oracle database via ODBC from R without making the password public?
Using Devise for Two Different Models but the same Login Form
How to authenticate with SharePoint Online for a PHP app?
User.Identity.IsAuthenticated vs WebSecurity.IsAuthenticated
URI structure for restful API
LinkedIn Login for ASP.NET MVC 5 Application
Python Kerberos-1.1.1.tar.gz Install Failure on Windows
Symfony2: use both LDAP (Active directory) and DB for user authentication
What's the diff between dbo.aspnet_Users and dbo.aspnetUsers?
TeamCity - Unable to authenticate via API
Difference between host based authentication and key based authentication
What's the most reliable way to detect if the user is logging in from a different device than usual?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!