I am trying to figure out the pros and cons of using session based authentication based on cookie authentication
How can I verify cookie authentication
- User sends a login request sending their credentials
- Credentials are verified using a database
- Cookie will be configured with user data.
- This will be done via https and the cookies will be encrypted.
- In .net if this is the authcookie user id will be set
- The db hit only once, and subsequent calls just check the auth cookie
In the case of session-based authentication
- User sends a login request sending their credentials
- Credentials are verified using a database
- Session id is generated and also stored in db
- Cookie will be configured with user data and generated session id
- Subsequent calls compare the session identifier with the identifier in the database
- Every time db hits
Questions
Is there any reason to prefer each other? Is a cookie less reliable (even if you encrypt and sign them)? Is session performance worse as it gets into the database during every call? I saw several sites leaning in one way or another, but could not get a clear idea of ββwhich approach to use. Any discussions / suggestions would be greatly appreciated.
language-agnostic authentication session forms-authentication
user275157
source share