Cookie-based Authentication: A Simple Guide for Secure Sessions

Authentication is the process of verifying the identity of a user, device, or entity in a system. It ensures that the person or system accessing resources is who they claim to be. The main goal of authentication is to protect systems and data from unauthorized access.

JWT + Local Storage

JWT or JsonWebToken is a way to transmit information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. It contains a header, payload and a signature containing various aspects of the information we want to transmit safely.

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Security Note: localStorage is vulnerable to Cross Site Scripting (XSS) attacks where malicious scripts can access authentication tokens.

LocalStorage Concerns

XSS attacks can steal tokens

No automatic session management

Client-side only storage

Cookie-based Authentication

Cookies are small pieces of data stored on user's web browser while the user is browsing. They provide a reliable mechanism for websites to store authentication tokens securely.

Advantages of Cookies

HttpOnly flag prevents XSS attacks

Secure flag ensures HTTPS-only transmission

SameSite attribute prevents CSRF attacks

Automatic inclusion in requests

Types of Cookies

1. Persistent Cookies

Remain on the browser after session ends until expiration

2. Session Cookies

Deleted when the browser session ends

Properties of Cookies

Cookies have multiple properties which can be used for multiple cases, such as:

Secure: Ensures that cookies is sent only over https connection, which is a secure and encrypted connections.

HttpOnly: This ensures that cookies aren't accessed by client side scripts, mitigating Cross Site Scripting attacks.

Expires and Max-Age: Specifies the expiration date and maximum age of the cookies(in seconds) respectively after which the cookie is deleted.

Domains and Path: Specifies the domain and the path within the domain for which the cookie is valid respectively.

SameSite: Controls whether cookies are sent with cross-site requests, helping to prevent CSRF attacks.

SameSite Attribute Settings

There are three settings for the SameSite attribute:

Strict: Cookies are only sent in a first-party context, meaning they are only sent if the request originates from the same site as the target URL. This prevents cookies from being sent with requests from third-party sites, effectively blocking CSRF attacks but also potentially breaking legitimate cross-origin use cases.

None: Cookies are sent with all requests, including cross-origin requests. This is the default behavior if the SameSite attribute is not set, but for None to work, the Secure attribute must also be set.

Lax: Cookies are sent with top-level navigation requests and some GET requests (e.g., when a user clicks a link to the site) but not with embedded requests like images or frames from third-party sites and POST requests which actually allows a malicious user to potentially affect the database. This provides a balance between security and usability, preventing most CSRF attacks while allowing some cross-site requests.

Important: I have mentioned this term CSRF attacks a few times now, so let's understand what it means.

CSRF Attacks

A CSRF attack occurs when an attacker tricks a user's browser into making an unwanted request to a different site where the user is authenticated.

Example: Malicious site submits a form to your bank using your active session cookie.

Conclusion

While both methods work, cookie-based authentication with proper security flags provides better protection against common web vulnerabilities like XSS and CSRF attacks.