![]() ![]() Sib your site, generate a POST request and re-use the existing authentication cookie because there will be none). Token-based approach simplifies this a lot.ĬSRF: since you are not relying on cookies, you don't need to protect against cross site requests (e.g. Mobile ready: when you start working on a native platform (iOS, Android, Windows 8, etc.) cookies are not ideal when consuming a ![]() The token might be generated anywhere, hence your API canīe called from anywhere with a single way of authenticating those javascript, HTML, images, etc.), and your server side is just the API.ĭecoupling: you are not tied to any particular authentication scheme. The rest of the state lives in cookies or local storage on the client side.ĬDN: you can serve all the assets of your app from a CDN (e.g. Server side scalability): there is no need to keep a session store, the token is a self-contained entity that conveys all the user information. A token-based approach allows you to make AJAXĬalls to any server, on any domain because you use an HTTP header What are the benefits of using a token-based approach?Ĭross-domain / CORS: cookies + CORS don't play well across different domains. ![]() Token-Based Authentication, relies on a signed token that is sent to If anything is still unclear, please edit your question to clarify WHAT isn't 100% clear to you, and I'm sure we can help you further. In other words: add one level of indirection for authentication - instead of having to authenticate with username and password for each protected resource, the user authenticates that way once (within a session of limited duration), obtains a time-limited token in return, and uses that token for further authentication during the session.Īdvantages are many - e.g., the user could pass the token, once they've obtained it, on to some other automated system which they're willing to trust for a limited time and a limited set of resources, but would not be willing to trust with their username and password (i.e., with every resource they're allowed to access, forevermore or at least until they change their password). I think it's well explained here - quoting just the key sentences of the long article: ![]()
0 Comments
Leave a Reply. |