Hasty Treat - Authentication: LocalStorage vs Cookies vs Sessions vs Tokens

In this Hasty Treat, Scott and Wes talk about authentication — the difference between localStorage, cookies, session, tokens and more! LogRocket - Sponsor LogRocket lets you replay what users do on your site, helping you reproduce bugs and fix issues faster. It’s an exception tracker, a session replayer and a performance monitor. Get 14 days free at https://logrocket.com/syntax. Show Notes 4:20 - How should we track users? Token based - generally stored in the client Session based - stored on the server Token Based (JWT) 6:00 - Token-based auth Stateless - the server does not maintain a list of logged in users Scalable - you can use serverless functions easily Cross domain Data can be stored in JWT Easy to use on non-web sites like mobile apps Hard to expire tokens — you must maintain a list of blacklisted tokens 7:48 - Session-based auth Stateful - generally you maintain a list of session IDs Passive - once signed in, no need to send token again Easy to destroy sessions 10:48 - How do we identify the user on each request? localStorage or Cookies? A common misconception is that localStorage is for tokens while cookies is for sessions With localStorage, we need to grab the token and send them along on each request With cookies, the data is sent along on each request 11:25 - Security Issues XSS for Tokens - make sure bad actors can’t run code on your site Sanitize inputs XSRF - CSRF tokens are needed Links Cookies vs Tokens: The Definitive Guide Tweet us your tasty treats! Scott’s Instagram LevelUpTutorials Instagram Wes’ Instagram Wes’ Twitter Wes’ Facebook Scott’s Twitter Make sure to include @SyntaxFM in your tweets