Cookies are identity data stored on the client for identity authentication

The authentication process is a small piece of data that the server sends to the user’s browser and keeps locally. It is carried in the Cookie field of the header when the browser makes a request to the same server next time

The Session is implemented based on cookies. The Session is stored on the server, and the sessionId is stored in the Cookie of the client

When a user requests the server for the first time, the server creates a Session based on the information submitted by the user and returns the SessionID to the browser

After receiving the SessionID information from the server, the browser stores the information in the Cookie, and the Cookie records the domain name of the SessionID

When the user accesses the server for the second time, the request will automatically determine whether there is Cookie information under the domain name. If there is Cookie information, the server will automatically send the Cookie information to the server, and the server will obtain the SessionID from the Cookie. Then search for the Session information based on the SessionID

The Token authentication process is as follows

  1. The client requests login using the username and password
  2. The server receives a request to verify the user name and password
  3. After the authentication succeeds, the server generates a Token. The Token is generated by the header, encrypted entity, and signature through the Base64 algorithm, and sends the Token to the client
  4. After receiving the Token, the client stores it, for example, in a Cookie or localStorage
  5. The client requests a Token in the header, usually the Authorization field or Cookie field
  6. The server receives the request and verifies the Token

The difference between the three is

  1. Tokens have signatures, but Session Cookies do not
  2. Cookies have a size limit, usually no larger than 4KB, and there are no other limits
  3. The Session is stored on the server and the other two are stored on the client
  4. Session is usually used for recording sessions, motivated to make the server stateful and expire for a short time, and the other two are usually used to obtain some resource credentials and set the expiration for a long time
  5. Session and Cookie are not cross-domain. Each Cookie is bound to a single domain name. Level-1 domain name and level-2 domain name can be shared (depending on domain).
  6. Cookies are bound to domain names, sessions are bound to single-browser tabs, and tokens are bound to user-agent terminals