Cookie Authentication
HTTP Cookie Authentication
What is cookie authentication? Cookie authentication authenticates client requests using HTTP cookies. This means the server can maintain sessions over HTTP, which is otherwise stateless (each call to the server is independent of the other).
How does cookie authentication work? First, the client sends a login request which contains all the login credentials needed for the server to authenticate. Then in its response, the server sends a 'Set-Cookie' header which contains cookie data such as ID, expiry, and more.
Now, with each request to the server, this cookie is sent every time. The session ends once the client logs out, and the server then sends back the 'Set-Cookie' header, causing the cookie to expire.
There are some limitations to cookie authentication. Firstly, it is not protected from Cross-Site Reference Forgery attacks (CSRF). It is highly recommended to use CSRF tokens as a security measure if you use cookie authentication.
Cookies also work on a single domain only. This can cause issues if, for example, an API service originates on different domains for different platforms (e.g., web and mobile)