0

Sorry for being still confused. I hope someone could share how they understand the following questions and also Is session/cookie based authentication stateful or stateless?. There might be some different terminologies used by different people. We can focus more on the concepts than terminology, and define terms before using them.

I found some different discussion on token based mechansim. https://security.stackexchange.com/a/92123 says

In Token-based Authentication no session is persisted server-side (stateless).

whereas https://stackoverflow.com/a/58398997 says

Server still needs to store blacklisted tokens which defeats the purpose of stateless

A comment says

it does not matter where the token is stored but only if it is associated with a state or not.

Stateless or stateful, and session based or non session based

Is "stateless" defined as "requests from the same client following the first one don't need to be authenticated"? Is "stateful" defined as "every request needs to be authenticated"?

Is it correct that session based mechanism is stateful and non-session based mechansim is stateless? (I guess yes, session based == stateful)

Token based mechanism:

Is token used for authentication? Or not for authentication, just as session id is not? ( I guess token is used only for authentication, so every request that sent back a token will authenticate with the server. In contrast, a request that sends back a session id doesn't authenticate with the server, although session id waives out authentication. Token is used for authentication, just as user password is.)

Is token based mechanism stateless? (I guess yes, because token is only for authentication.) Or is token based mechanism as stateful as cookies that contain session ID?

when is a token associated with a state, and when not?

Cookie based mechanism:

Is it correct that cookie can carry any kind of information, session ID, token, ...?

Is it correct that cookie can be used for implementing both stateful (i.e. session based) mechansim or stateless (i.e. nonsession based) mechanism, depending on what info a cookie carries? If a cookie carries session id, then it is stateful (i.e. session based)? If a cookie carries non session info such as token, then it is stateless (i.e. nonsession based)?

when tokens are written in cookies, it is still stateless?

Thanks.

Tim
  • 617
  • 2
  • 7
  • 16
  • One of the [answers you linked to](https://stackoverflow.com/a/58398997) is almost completely wrong. I added a comment there. I'll see if I have time later to give some more detailed feedback here (unless someone beats me to it), although you have a lot of questions here: it may be better to narrow things down or split this up into more than one question. – Conor Mancone Feb 11 '20 at 18:25
  • I always thought "Stateless" meant, no session variables on the server-side. Session variables tend to eat up resources. "Stateful" uses session variables. For authentication purposes you'd need to lookup something in a database for Stateless(for each request), while Stateful would check the session variable for the info(for each request). Both methods are vulnerable to attack, just in different ways. Both create a sort of "session" with an expire date, it's just that one doesn't create a session variable. – pcalkins Feb 11 '20 at 20:32

1 Answers1

2

Session is state.

Cookies provide a mechansim for providing state (persistent data) via http, a stateless protocol.

State can be used to represent the outcome of authentication, but can also represent all sorts of other things.

symcbean
  • 18,278
  • 39
  • 73