Hasty Treat - Authentication: LocalStorage vs Cookies vs Sessions vs Tokens


In this Hasty Treat, Scott and Wes talk about authentication — the difference between localStorage, cookies, session, tokens and more!

LogRocket - Sponsor

LogRocket lets you replay what users do on your site, helping you reproduce bugs and fix issues faster. It’s an exception tracker, a session replayer and a performance monitor. Get 14 days free at https://logrocket.com/syntax.

Show Notes

4:20 - How should we track users?

  • Token based - generally stored in the client
  • Session based - stored on the server
  • Token Based (JWT)

6:00 - Token-based auth

  • Stateless - the server does not maintain a list of logged in users
  • Scalable - you can use serverless functions easily
  • Cross domain
  • Data can be stored in JWT
  • Easy to use on non-web sites like mobile apps
  • Hard to expire tokens — you must maintain a list of blacklisted tokens

7:48 - Session-based auth

  • Stateful - generally you maintain a list of session IDs
  • Passive - once signed in, no need to send token again
  • Easy to destroy sessions

10:48 - How do we identify the user on each request? localStorage or Cookies?

  • A common misconception is that localStorage is for tokens while cookies is for sessions
  • With localStorage, we need to grab the token and send them along on each request
  • With cookies, the data is sent along on each request

11:25 - Security Issues

  • XSS for Tokens - make sure bad actors can’t run code on your site
  • Sanitize inputs
  • XSRF - CSRF tokens are needed
Links Tweet us your tasty treats!

Audio Player