Hasty Treat - Authentication - LocalStorage vs Cookies vs Sessions vs Tokens

In this Hasty Treat, Scott and Wes talk about authentication — the difference between localStorage, cookies, session, tokens and more!

LogRocket - Sponsor

LogRocket lets you replay what users do on your site, helping you reproduce bugs and fix issues faster. It's an exception tracker, a session replayer and a performance monitor. Get 14 days free at https://logrocket.com/syntax.

Show Notes

4:20 - How should we track users?

• Token based - generally stored in the client
• Session based - stored on the server
• Token Based (JWT)

6:00 - Token-based auth

• Stateless - the server does not maintain a list of logged in users
• Scalable - you can use serverless functions easily
• Cross domain
• Data can be stored in JWT
• Easy to use on non-web sites like mobile apps
• Hard to expire tokens — you must maintain a list of blacklisted tokens

7:48 - Session-based auth

• Stateful - generally you maintain a list of session IDs
• Passive - once signed in, no need to send token again
• Easy to destroy sessions

10:48 - How do we identify the user on each request? localStorage or Cookies?

• A common misconception is that localStorage is for tokens while cookies is for sessions
• With localStorage, we need to grab the token and send them along on each request
• With cookies, the data is sent along on each request

11:25 - Security Issues

• XSS for Tokens - make sure bad actors can't run code on your site
• Sanitize inputs
• XSRF - CSRF tokens are needed

Links

• Cookies vs Tokens: The Definitive Guide

Tweet us your tasty treats!