At Zagreb Webcamp 2018, I attended talk A Token Walks Into a SPA… by Ado Kukic. During the Q and A session I finally realized difference between JWT and session cookies. This post explains evolution of Web And Mobile application authentication mechanisms.
Step 1, what is Authentication?
Authentication is the process of determining whether someone or something is, in fact, who or what it declares itself to be. [source].
Here is Facebook example. You know that your best friend used its gmail email during the registration. In order to log in to Facebook, you need to enter email and password. When you enter in Facebook your friends email address, you try to claim to Facebook, that you are your friend. How can you prove that? You will try to guess (or steal) your friends password.
Step 2, HTTP protocol is stateless
That means that every browser request does not know about any previous of future request.
In Facebook example, after log in, your are automatically in your news feed. If you click on Events option, if Facebook is using just HTTP protocol, you will need to enter username/password again. Very boring activity.
Step 3, lets make HTTP stateful using session Set-Cookie/Cookie headers
Cookie header was introduced to make HTTP stateful, which means that Cookie Header has session data store that could contain user data from the moment of authentication. For authentication purpose, that data is user uniq identifier. What is important to state that Cookie header manipulation is done on Client side by browser.
Using facebook as example, after you enter username/password, and after successful authentication, server sends session token in Set-Cookie header. It is important to state that session token is not the only token that could be present in that header. Browser reads Set-Cookie content and for every further request, copies it content in Cookie header.
Step 4, welcome to single page applications
Step 5, JWT
Step 6, Which header to use?
You need to carefully chose technology stack for your application. Do not make a decision based on technology HIPE. We will use JWT because it is a trend. Do analysis ate the beginning of project, because this is the cheapest moment.