❔ Session vs Cookies vs Cache
I am currently researching this, but just cant find an end on which one should I use.
Like, what are the main differences?
I need it for simple authentication (user/pass) of my web app (3-4 pages) and automatic logout if inactive too long.l.
11 Replies
Authentication is not easy topic. These three topics you provide are different parts of different authentication approaches, not the approaches itself
But basically we can say authentication with ASP.NET Session vs JWT
in Session approach, you authenticate the user and return SessionId, user's state is stored in backend (ex: in database)
client passes the SessionId for each request
In JWT approach, you authenticate the user and return JWT token, you dont store user's state in backend or anywhere
JWT is kinda stateless because it contains all information within, easier to use
Which one to use is up to you, raw coding youtube channel has some good tutorials if you are beginner
Actually I got one older version of one of the companies project, which had authentication implemented, but its pretty old.. I think it was written like 7 years ago, still in .net framework… It actually uses some kind of mix of all those session-cache-cookies, but idk if is worth rewritting the same thing.. technically, some of the guides look “pretty easy” to implement, so i am worried that its not good enough.
ASP.NET Identity has some built in features, uses Session approach with client cookies to store SessionId
Your UI and API projects are separated ?
if you use MVC then ASP.NET Identity is easier to configure
Yes I use MVC, I also have 3 api controllers, but they dont need authentication
I checked the integrated template for Identity, but its a bit overkill with all the stuff (confirms email, forgot pass, etc), I would rather implement it a bit simplier.. But yeah, there are many approaches and idk which one to choose, haha
yes Session is a bit more complex because you store the user state in the application
but you dont have to implement email, forgat password etc
JWT is fine for your case anyways
Yeah but I would still need to store it somewhere in the app
and storing it in the session like
HttpContext.Session.SetString("Something", "Data"); just seems too easy, hahh
there is also something like await _httpContextAccessor.HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, userPrincipal, authProperties);you dont store JWT's access token inside the API. It should be stored securely in UI (web,mobile etc) and passed with Authorization header in each request
you can store JWT's Id value as TokenId for extra validation in API (not neccessary for small scale apps, it depends)
Was this issue resolved? If so, run
/close - otherwise I will mark this as stale and this post will be archived until there is new activity.Yes Ik, but where in the UI should I store it?
there are several options, in variable or web storage
you can search which one is more secure and avaiable for you
Was this issue resolved? If so, run
/close - otherwise I will mark this as stale and this post will be archived until there is new activity.