Server Authentication Method

Server authentication method: 1. Cookie-based authentication. The server uses cookies to authenticate the users in each request. 2. Newer methods, based on Token-based authentication, rely on the signing token sent to each request on the server.

Why is the token-based approach better? The reasons are as follows:
1. Cross-origin/CORS: cookies + CORS cannot be used across different domain names. However, based on tokens, you can use ajax to call the server. in any domain name, you can use the HTTP header to transmit user information.

2. stateless (indicating server scalability): There is no need to save sessions. The token itself is a self-contained entity that contains various user information, other status information can be stored in cookies or local client storage.

3. CDN: applicable to any CDN application components (e.g. Javascript, HTML, images, etc.). Your server is just an API.

4. Decoupling: you do not have to bind a schema with a specific authentication format. The token can be generated anywhere, so that your API can call verification in the same way.

5. Mobile friendly: when you are on a native platform (IOS, Android, Windows 8, etc.), cookies depend on a secure API, which is not a good idea,

Because you have to deal with a cookie container, Token-based processing is much easier.

6. csrf: Because you do not rely on cookies, you do not need cross-request protection (e.g. It may come from <IFRAME> requesting a post, and you need to reuse an existing verification .).

6. Performance: A network round-trip (such as a session in a database) may take more time than the calculated hmacsha256 verification token.

7. The logon page is not a special case. If you are using a plug-in to write your function test, you do not need to handle any Special Logon situations.

8. standard-based: Your API can accept a standard JSON web token (JWT ). this standard is followed by multiple library packages (. net, Ruby, Java, Python, PHP ),

Many companies support (e.g. firebase, Google, Microsoft). For example, firebase allows their customers to use any authentication mechanism,

As long as you use predefined attributes to generate a JWT and sign it using the shared key, you can call their APIs.

Server Authentication Method