When it comes to securing ASP.NET applications, or any application in general, authentication and authorization play key roles. Authentication is the process of verifying a user’s identity. It checks if the user credentials are correct or not. Authorization, on the other hand, is the process of verifying a user’s roles. So, essentially, authorization aids in the security process by complementing authentication.
There are various authentication types, but the two most important ones are cookie-based authentication and token-based authentication. Cookie-based authentication relies on storing the user’s session ID in a cookie, which is then used for subsequent requests to identify the user. Token-based authentication, on the other hand, uses a token (such as JWT) that is generated after the initial login and sent with each request for user verification.
But, how do they actually work?
Cookie-based Authentication
In Cookie-based Authentication, similar to other types of authentication, the process starts with a user providing a username and password. Once the login button is clicked, traditional authentication, also known as cookie-based or server-based authentication, begins.
In this method, a session is securely created by the server and stored in the server’s memory.
This authentication type works as follows: typically, there is a browser and a server. To authenticate users, a POST request is sent to the authenticate API endpoint, providing the username and password. The server then checks if these credentials exist in the database. If they do, a session is securely created by the server and stored in the server’s memory. The server sends back a session that gets stored in a cookie in the user’s browser.
Then, when the user requests data from the API, the cookie containing the session ID is passed along with the request. This session ID is then verified by the server, and the data is returned in an HTTP 200 OK response.
Cookie-based Authentication
Similarly, in token-based authentication, we have a browser and a server. When you want to authenticate the user, you send a POST request to the server, let’s say to the authenticate API endpoint, and provide the username and password. The server then checks if the username and password exist in the database. If they do, it returns a token and a refresh token, which are two random encoded strings storing user-related information.
The token is generated using a secret key on the server, and that is the only data we store on the server. Thus, the token and the refresh token are not stored in a cookie but in the browser’s memory. Then, if you want to get data from the server, say from the data API endpoint, the request includes an authorization header with the bearer and the token value. The server, using the mechanism set up server-side, checks if the token is valid. If the token is valid, it returns some data.
Why Token-based Authentication?
In comparison to cookie-based authentication, the session in token-based authentication also has an expiry time, but the expiration time in cookie-based authentication is typically longer than in token-based authentication. The expiration time for tokens is usually 5 to 10 minutes. Therefore, after 10 minutes, even if your token is stolen, a malicious user will not be able to access your data.
Once the token has expired, you need to use the refresh token to generate a new token for accessing data. You would send a POST request to, let’s say, the refresh token API endpoint, and pass the refresh token as a parameter. The server will then generate a new token, which you can use to access data.
Where to go next?
For a comprehensive understanding of token-based authentication and authorization in ASP.NET, I recommend checking out the full course available at the link below.
This course is a valuable resource for anyone looking to deepen their understanding of modern authentication and authorization techniques in .NET applications.