🐏 mogoz

Search

Products to look at
B2C
B2B
FAQ
Where to store auth/session token?
What are the ways to do Authentication?

Web Authentication

Jun 30, 2024, 2 min read

tags : Security, Web Development, Authentication, JWT, Identity Management

Products to look at

B2C

Firebase auth
SuperTokens, Open Source Authentication
Clerk | Authentication and User Management

B2B

Ory - Open Source Identity Solutions For Everyone
Auth. Built for Devs, by Devs - FusionAuth

FAQ

Where to store auth/session token?

See Identity Management and API Design
Preference is to use cookies for storing auth stuff.
For user preference etc. local storage is fine.
URL Params / URL args / POST Body : Using these is not recommended but possible for obvious reasons
Cookies
- XSS can be tightened w HTTPOnly cookie
- Browser will automatically send cookies so no additional handling of auth stuff required
- Can be set across subdomains. So you can use the same auth for a.x.com and b.x.com which is cool.
- Easy to clear also
Local storage
- XSS possible
- Only per origin
- Not suitable for sensitive stuff
- Have to send the auth token yourself
Session storage
- Similar to Local Storage but better in this regard
See Cookies
See Web Storage

What are the ways to do Authentication?

Assuming we not dealing with OIDC (OpenID Connect) here.
We have two options, Web Sessions and JWT. For both, Cookies are a safe storage mechanism. But not necessarily all the time. Here comes “it depends”.

Graph View

Backlinks

TLS
Authentication
JWT
CORS
Cookies
CSRF
XSS
Same Origin Policy (SOP)
iframe
Web Sessions

Created with Quartz v4.1.0, © 2024

GitHub
Twitter