Token Based Authentication

In the previous lesson, we discussed that in session-based authentication, the user information is stored on the server. This resulted in lots of issues related to performance and scalability. But what if we don’t want to save the user information on our server? We can’t save the user information in cookies as they have a size limit and also it is not safe.

We have an alternative to cookies, and that alternative is tokens. A token can store all the user information in an encrypted format and this token can be stored on the client-side.

Here is the basic flow of token-based authentication:

1. The client sends a request to the server with a username/password.
2. The application validates the credentials and generates a secure, signed token for the client.
3. The token is sent back to the client and stored there.
4. When the client needs to access something new on the server, it sends the token through the HTTP header.
5. The server decodes and verifies the attached token. If it is valid, the server sends a response to the client.
6. When the client logs out, the token is destroyed.