Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

General Discussion

Jonathan Fernandes
PLUS
Jonathan Fernandes
Courses Plus Student 22,784 Points
Posted by Jonathan Fernandes
Jonathan Fernandes
Courses Plus Student 22,784 Points

Token vs cookie based authentication

So there is a lot of documentation out on the world wide web that seems to favor token based authentication vs a cookie based authentication system.

A lot of what I build has the cookie based approach. I am at a point though were I am building bigger and more robust one page applications. My hope is to at some point I can also get some native options (mobile support) too.

Everything online seems to point to the fact that I should turn to a token based approach. Is that true or is there more to the argument of Token vs Cookie?

2 Answers

Alexander La Bianca
Alexander La Bianca
15,959 Points
Alexander La Bianca
Alexander La Bianca
15,959 Points

I have always used cookies as well until I discovered json web tokens (jwt). It is fairly simple to use and will allow you to branch out to other types of clients such a mobile devices. Check out the below for more information:

https://jwt.io/

Ari Misha
Ari Misha
19,323 Points
Ari Misha
Ari Misha
19,323 Points

Hiya there! Thats an interesting approach question in my opinion coz we've been taught about cookies and sessions and how they play an important role in User Authentication and User Authorization. But its unsafe, i mean any hacker might retrieve that session id and authenticate himself in with the same session id. He might also use XSS(cross site scripting attacks) and injections in your application url. With cookies, many other details might be exposed as well. But with token authentication your application is so much safer than that. I mean on every authentication or any request made to the server, a token is generated and get sent by the client to server and vice versa. This step is really important coz not only it validates and provide that security layer, it protects all kinds injections a hacker might use to expose that user information. I'd also highly recommend you to force your application to apply SSL certificate connection.

~ Ari