5

Flask Web Development says

The current login functionality implemented with the help of Flask-Login stores data in the user session, which Flask stores by default in a client-side cookie, so the server does not store any user-related information; it asks the client to store it instead. It would appear that this implementation complies with the stateless requirement of REST, but the use of cookies in RESTful web services falls into a gray area, as it can be cumbersome for clients that are not web browsers to implement them. For that rea‐ son, it is generally seen as a bad design choice to use cookies in APIs.

https://stackoverflow.com/a/59826012/ says:

Session-based authentication is stateful. This means that an authentication record or session must be kept both server and client-side. The backend keeps track of the active sessions in a database, while on the front-end a cookie is created that holds a session identifier.

https://dzone.com/articles/cookies-vs-tokens-the-definitive-guide says

Cookie-based authentication is stateful. This means that an authentication record or session must be kept both server and client-side. The server needs to keep track of active sessions in a database, while on the front-end a cookie is created that holds a session identifier, thus the name cookie based authentication.

Is it correct that session based authentication is the same as cookie-based authentication?

Does session/cookie based authentication store user/session/... on server side?

Is it stateful or stateless?

Is the difference between cookie based and token based authentication exactly that the former is not signed, while the latter is?

Thanks.

Tim
  • 617
  • 2
  • 7
  • 16

1 Answers1

3

Is it correct that session based authentication is the same as cookie-based authentication?

These phrases are not the same: "cookie based" reflects how session information gets transmitted while "session based" reflects that a session is used instead of having to login for every transaction again. "Session based" might be implemented with cookies and it typically is, but this is not an actual requirement. One could transmit the session for example in the URL too.

Does session/cookie based authentication store user/session/... on server side?

Not necessarily. All information can be stored inside the (signed/encrypted) cookie so that only the client actually stores the information and the server can extract the information from the cookie. Or the cookie can just be a key to look up the information in the servers database in which there is no need to sign/encrypt it.

Is it stateful or stateless?

Depends on the meaning/interpretation of these terms in a specific context. First, there is always a state involved when having a session, compared for example to the case where authentication credentials are send with each request. So from this perspective session based authentication is always stateful.

But in some contexts the question is if both server and client keep the state information. In this interpretation it would not be stateful if all the state information are contained in the session cookie, since the server only extracts the state from the cookie and might update the state by sending a new cookie, but does not actually store the state locally.

Is the difference between cookie based and token based authentication exactly that the former is not signed, while the latter is?

They are not the same but similar. A session cookie is usually set initially by the server and then implicitly reflected by the client in each request by the client inside the Cookie HTTP header field. An authentication token is usually created some other way (for example when signing up for a service) and is explicitly added to the request by the client, usually inside the Authorization HTTP header field. Both session cookie and authentication token are opaque to the client in that it does not care (and often does not know) the inner structure.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Thanks. (1) Is token based authentication stateful? If yes, is it because every request is required to authenticate? (2) Is it correct that cookie can be used for implementing both session based authentication or nonsession based authentication, dependeing on what info a cookie carries? If a cookie carries session id, then it is session based authentication, and if a cookie carries non session info such as token, then it is nonsession based authentication? – Tim Feb 11 '20 at 17:03
  • (3) when tokens are written in cookies, it is still stateless? – Tim Feb 11 '20 at 17:11
  • @Tim: (1) no. (2) cookie can be used for many things where it is relevant that some information set by the server is stored by the client and reflected back later to the server. But a scenario where the client sends credentials with each request is not cookie based. (3) it does not matter where the token is stored but only if it is associated with a state or not. - also, please stick to your original question and don't add more and more follow-ups as comment. – Steffen Ullrich Feb 11 '20 at 17:12
  • (1) my typo. Is token based authentication **stateless**? If yes, is it because every request is required to authenticate? – Tim Feb 11 '20 at 17:20
  • Sorry. I stay confused. https://security.stackexchange.com/questions/225723/token-and-cookie-based-mechanisms-stateful-or-stateless-session-or-nonsession – Tim Feb 11 '20 at 17:49