Knowledge Bank
  • My GitBook
  • Miscellaneous
  • Project
    • Rider and Intellij
    • Code
    • Frontend
      • Condition
      • AddConditionModalDialog
    • Backend
    • e2e
      • fragments
  • JAVASCRIPT
    • Promise
    • Destructuring
    • Spread Syntax and Rest Parameters
    • Typescript
      • Examples of Types
      • React Typescript
    • This
    • Dot Notation vs Bracket Notation
    • Shallow vs Deep Clone
    • New ES Edition
  • C#
    • Project Note
    • Basic
    • Shortcut and Debugging
  • Programming Paradigms
    • SOLID Principles
    • Object Oriented Programming (OOP)
      • Evolution of OOP (Procedural to OOP)
      • Instantiation
      • 4 Pillars of OOP
      • Extra
    • Functional Programming (FP)
      • Idempotent
      • Imperative vs Declarative
      • Immutability
      • High Order Function and Closure
      • Currying
      • Partial Application
      • Memoization and Caching
      • Compose and Pipe
      • Extra
      • Example of FP
    • OOP vs FP
      • Composition vs Inheritance
  • DATA STRUCTURE
    • Big O
    • Data Structure
    • Array
    • Hash Table
    • Linked List
    • Queue and Stack
    • Tree
      • Binary Heap
      • Trie
    • Graph
      • Example of Graph
  • React-Redux
    • MobX
    • Best Practices
  • Algorithms
    • Recursion
      • Examples of Recursion
    • Sorting
    • Searching and Traversal
    • Dynamic Programming
  • REFACTORING
    • Clean Code
      • Formatting
      • Error Handling
      • Concurrency
      • Testing
      • SOLID Principles
      • Classes
      • Objects and Data Structures
      • Variables
      • Functions
    • Code Smells
      • Long Function
      • Duplicate Code
      • Loops
      • Double Negative
      • Christmas Tree Code
      • Complex Condition
      • Primitive Obsession
      • Speculative Generality
      • God Class
      • Long Parameter List
  • Junior to Senior
    • AWS
      • Lambda
    • Session + Authentication
    • Redis
    • Kubernetes
      • Networking
      • Services
      • Deployment
      • Replica Set
      • YAML
      • pod-definition.yml
      • Kubectl
      • Pods
      • Fundamentals
    • Docker
      • Operating System - Extra
      • Dockerfile - Docker Image
      • Docker Storage
      • Docker Network
      • Docker Registry
      • Docker Command
      • Docker Compose
      • Docker Compose - Postgres
    • Security
      • Logging
      • HTTPS, Cross-Site-Scripting (XSS) and Cross-Site-Request-Forgery (CSRF)
      • 3rd Party Library
      • Injection
      • Code Secret, Secure Header, Access Control, Data Management, Authentication
    • CI/CD
    • SPA vs Server-Side Rendering
    • Performance
      • Optimized Code
      • Critical Render Path
      • Backend Optimization
      • Minimized Files and Images
      • Minimized Delivery
  • SECURITY
    • Encryption
    • SSH
  • Command
  • Cheatsheet
    • NPM
    • GIT
  • Writing Template
    • Guide
    • API
    • ChangeLog
    • FAQ
  • Linux
Powered by GitBook
On this page

Was this helpful?

  1. Junior to Senior

Session + Authentication

Cookie-based Auth

Once authenticated, cookie-based authentication send a header that is set cookie with the session to identify the browser (client).

  • Stateful

The browser keeps their session cookie in the header and the server has to keep track of the cookies that it's sent out to the clients in database or some other way to manage that data. Whenever they get a request they have to go through those cookies and figure out if any of them are valid (similar to password checking) and which user information they pass based on that cookie and has to keep track of these active sessions in the database. Once the user logs out, the session is destroyed both on client and server side.

Token-based Auth

Characteristics:

  • Can store information inside the token

  • Stored in local storage or session storage of browser instead of header like cookie

  • Stateless as the server does not need to keep a record of which users are logged in or which have been issued. All the server needs to do is decode this JWT and make sure that it's a valid token (by verify method of JWT).

  • Once a user logs out, the token is destroyed on the client side with no interaction on the server (backend)

Pros of token-based auth:

  • Stateless. The backend does not need to actually record or store the tokens in a database. Each token is self-contained and contains all the data required to check its validity as well as convey user information. So the server's job is actually simplified. The only job is then to sign the tokens. And any time it gets a request to just verify the token.

  • Unlike cookies which are meaningless strings, in JWT you can actually have any type of data you want inside of the JWT.

  • Work well across different API. You can use the same JWT token across different API.

  • Serve both browser and native mobile platforms like iOS and Android.

Cons of token-based auth:

  • Cookie works well with one single domain - the classic browser server client relationship.

  • Bigger data is JWT token hold more information.

  • Storing info in JWT can be dangerous.

Local Storage: persist across browser tab

Session Storage : only one browser tab

Redis + JWT

Session management with redis and instead of just using the verify with the JWT token, we're going to actually store the JWT token in redis database and by storing it in our database, we have full control to see what tokens are available, what tokens we've given out and also revoke them any time that we want. And this gives us a lot of power and maneuverability.

PreviousLambdaNextRedis

Last updated 4 years ago

Was this helpful?