3

I'm using devise_token_auth for a rails application with react on the frontend and rails as the backend acting as the backend.

In the readme the author states that

If you're building SPA or a mobile app, and you want authentication, you need tokens, not cookies.`

Why? I understand the basic differences between tokens and cookies, but don't understand why you couldn't just use cookies (simply including the headers with any XHR requests)?

Adam Thompson
  • 3,278
  • 3
  • 22
  • 37
  • 2
    Possible duplicate of [Token Authentication vs. Cookies](https://stackoverflow.com/questions/17000835/token-authentication-vs-cookies) – Daryll Santos May 27 '18 at 03:47
  • 1
    @DaryllSantos I've read through that question before, I still do not understand why you _need_ tokens. Perhaps it is just a bad wording from that repository and you don't. – Adam Thompson May 27 '18 at 03:51
  • 1
    while reading through the linked article and after some thinking, I guess there's no real need. They do the same things especially if you hook in the cookie with the header. I guess it's always been a convention to use tokens when there is a potential non-web based consumer of the API (mobile app). I could very well be wrong, and anyone can feel free to correct me, but that's my 2c. – Daryll Santos May 29 '18 at 11:51

1 Answers1

3

There are a few major reasons.

First of all most SPA's are designed as stateless and using cookie based authentication is not stateless. Using cookies also makes every request take a little bit longer because there is a lookup on every request.

Cookies are also tied to a domain. Most SPA's use multiple services across multiple domains which is a no go with cookie based authentication. This also applies to SPA's which have a web app and mobile app, using token based authentication means scaling this is much easier.

Tokens can also be used to store data and only need to be generated once, after that there is no work involved except for the server reading the token. This means you can store user permissions in there etc and the server can get this information with very little work.

C. Johnson
  • 211
  • 1
  • 5