JWT vs cookies for token-based authentication

I read some posts about “JWT vs Cookie” but they only made me more confused…

  1. I want some clarification, when people talking about “token-based authentication vs cookies”, cookies here merely refer to session cookies? My understanding is that cookie is like a medium, it can be used to implement a token-based authentication(store something that can identify logged-in user on the client side) or a session-based authentication(store a constant on the client side that matches session information on the server side)

  2. Why do we need JSON web token? I was using the standard cookie to implement token-based authentication(not using session id, not use server memory or file storage): Set-Cookie: user=innocent; preferred-color=azure, and the only difference that I observed is that JWT contains both payload and signature…whereas you can choose between signed or plaintext cookie for http header. In my opinion signed cookie (cookie:'time=s%3A1464743488946.WvSJxbCspOG3aiGi4zCMMR9yBdvS%2B6Ob2f3OG6%2FYCJM') is more space efficient, the only drawback is that client cannot read the token, only the server can…but I think it’s fine because just like claim in JWT is optional, it’s not necessary for token to be meaningful

5 Answers
5

Leave a Comment