Session vs Token Authentication in 100 Seconds

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

user authentication there are two main ways to get the job done sessions and tokens the traditional approach on the web is cookie-based server-side sessions the process begins with a user filling out their username and password and then submitting it to a server which then validates it creates a session in the database then responds with a session id the session id will be saved in the browser's cookie jar which is a place in the browser to save key value pairs that will be sent back to the server on each subsequent request it can then respond back with content designed for the currently logged end user in other words we have a stateful session between the front end client and backend server this approach works great but there are some drawbacks it can be vulnerable to an attack known as cross-site request forgery where the attacker points the user to a site they're logged into to perform actions they didn't intend to like submitting a payment or changing their password although the risk is very low especially if you use a modern framework to implement your code the bigger problem is that you'll need to store the session id in a database or keep it in memory on the server because most of today's cloud applications are scaled horizontally this can be a huge bottleneck in production and that brings us to token-based authentication which solves this problem but introduces its own set of challenges the process begins the same with the client sending its login details to the server instead of storing a session id it generates a json web token the jot is created with a private key on the server then it's sent back to the browser where it's normally kept in local storage on future requests the jot will be added to the authorization header prefixed by bearer the server then only needs to validate the signature there's no need for a database lookup somewhere else in the infrastructure and that's way more efficient when dealing with a distributed system in the cloud however tokens can still be hijacked by an attacker and they can also be difficult to invalidate and they can't be used to authenticate a user in the background on the server here's the most important thing to understand with a session the authentication state is handled on the server while tokens are managed on the client this has been user authentication in 100 seconds if you want to master web security check out web security academy my friend bartos is launching a 12-week coaching program it's not your ordinary course but 12 weeks of high-value group-based learning and i'm teaching my own module in the course on firebase security check out the link in the description to learn more and i will see you there in a few weeks thanks for watching

Info

Channel: Fireship

Views: 273,781

Rating: 4.9692197 out of 5

Keywords: webdev, app development, lesson, tutorial, web security, authentication, web auth, user auth, hacking, csrf, cookies, jwt, json web tokens

Id: UBUNrFtufWo

Channel Id: undefined

Length: 2min 18sec (138 seconds)

Published: Thu Oct 29 2020