3

I wanted to build a secure user interaction to the server, but I stumbled upon using either token or session. Here are couple of options that I thought about:

  1. I learned JWT, built a token, and sent it back and forth between server and client in my local server. Seems like a good thing to do, since using HTTPS, only two parties will be able to communicate in between, therefore quite secure.

  2. However, when I looked into the websites like Facebook, Twitter, Instagram, they don't have token, but have session with bunch of variables. I assume they are for authentication.

Which option is a right way to opt? I opt to choose token, as it is secure, I say, why burden server with the load client can handle when you can offload if token is used.

However, I have a feeling that tokens are basically not used in website, but only in APIs.

Vilican
  • 2,703
  • 8
  • 21
  • 35
Rockink
  • 49
  • 4

1 Answers1

1

A token and a session is basically the same thing on a different view. A cookie would be a different thing.

As the HTTP protocol is stateless, the server must have a way to maintain the state of the connection. A session (generally) is a file stored on the server, with all the state variables of the client on it. The token is the value send back from the client, so the server knows which file to read. A session and its token are more secure than a cookie because the client cannot change arbitrary fields, and generates less traffic.

A cookie is another approach: it's a file stored on the client with all the session data. They store all data of the connection. I don't like cookies because of the overhead of making sure that the client haven't changed any value.

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142
  • 1
    @Cthulhu, storing data on insecure places will not add security. It's way more secure to keep all data on server, and only a token on client. Never ever blindly trust any data coming from the client. And you will incur on a lot of overhead sanitizing and validating all data from client. And less overhead handling a token. – ThoriumBR Aug 24 '15 at 18:54
  • 1
    @Cthulhu You cannot store the token on the server, the client must send it. Otherwise, how could the server possibly know which client he is talking to? – ThoriumBR Aug 24 '15 at 19:06
  • 1
    @Cthulhu I think this illustrates that you don't know exactly how a session works... If storing a token on the server is insecure, how can a client trust anything coming from it? – ThoriumBR Aug 24 '15 at 19:11