In this Hasty Treat, Scott and Wes talk about authentication — the difference between localStorage, cookies, session, tokens and more!
LogRocket - Sponsor
LogRocket lets you replay what users do on your site, helping you reproduce bugs and fix issues faster. It's an exception tracker, a session replayer and a performance monitor. Get 14 days free at https://logrocket.com/syntax.
4:20 - How should we track users?
- Token based - generally stored in the client
- Session based - stored on the server
- Token Based (JWT)
6:00 - Token-based auth
- Stateless - the server does not maintain a list of logged in users
- Scalable - you can use serverless functions easily
- Cross domain
- Data can be stored in JWT
- Easy to use on non-web sites like mobile apps
- Hard to expire tokens — you must maintain a list of blacklisted tokens
7:48 - Session-based auth
- Stateful - generally you maintain a list of session IDs
- Passive - once signed in, no need to send token again
- Easy to destroy sessions
10:48 - How do we identify the user on each request? localStorage or Cookies?
- A common misconception is that localStorage is for tokens while cookies is for sessions
- With localStorage, we need to grab the token and send them along on each request
- With cookies, the data is sent along on each request
11:25 - Security Issues
- XSS for Tokens - make sure bad actors can't run code on your site
- Sanitize inputs
- XSRF - CSRF tokens are needed