Difference beetween authentication with cookies and JWT

Question

Hi, I would like to know if you can give me the difference between authentication with cookies and JWT.

Also, I would like to know if I can make an authorisation of my application Independently of the authentication method use : cookies or JWT.

Program.cs in server project : cookie method

builder.Services.ConfigureApplicationCookie(options =>
{
    options.Cookie.HttpOnly = false;
    options.Events.OnRedirectToLogin = context =>
    {
        context.Response.StatusCode = 401;
        return Task.CompletedTask;
    };
});

Program.cs in server project : cookie method

//builder.Services.AddAuthentication(opt =>
//{
//    opt.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
//    opt.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
//}).AddJwtBearer(options =>
//{
 //   options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
   // {
   //     ValidateIssuer = true,
   //     ValidateAudience = true,
   //     ValidateLifetime = true,
    //    ValidateIssuerSigningKey = true,

    //    ValidIssuer = jwtSettings["validIssuer"],
    //    ValidAudience = jwtSettings["validAudience"],
   //     IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(jwtSettings))
  //  };
//});

Thanks in advance to your reply

Answer 1

with cookie authentication the user identification is stored in a cookie. it is typically used with browsers as they support setting and sending cookies with requests. if the request requires authentication, (or expired cookie) typically requests redirect to a login page.

with jwt authentication the user identification is passed via the authentication header as a bearer token. browsers do not support using bearer tokens. this method is handy for api's called by application code, because the code can call to get a jwt token to use in subsequent api calls. if the request requires authentication (or expired token), typically a 401 response is returned.

so in general cookie authentication is used with browser requests, and jwttokens is used for api requests.

note: if a browser page has javascript that does an ajax call, because the browser will include any cookies, often cookie authentication is used. care must be taken if the cookie expires because the response is typically login page html. You can add code to detect an ajax request and return 401 instead of the default redirect.

Answer 2

hi sblb

I asked the same question and a little googling led me to an article that helped me answer the question.

https://jerrynsh.com/all-to-know-about-auth-and-cookies/#:~:text=Neither%20JWT%20nor%20Cookie%20are,within%20your%20browser's%20Cookies%20storage.

Answer 3

I would like to know if you can give me the difference between authentication with cookies and JWT.

Cookies are commonly used in browser (user-agent) based applications. JWTs are used when the client is code like JavaScript or C#.

Also, I would like to know if I can make an authorisation of my application Independently of the authentication method use : cookies or JWT.

An application can have multiple authorization schemas as illustrated in the official documentation.

Authorize with a specific scheme in ASP.NET Core

Answer 4

Hi,@sblb

I would like to know if you can give me the difference between authentication with cookies and JWT.

As mentioned in the document

An authentication scheme's authenticate action is responsible for constructing the user's identity based on request context. It returns an AuthenticateResult indicating whether authentication was successful and, if so, the user's identity in an authentication ticket. See AuthenticateAsync. Authenticate examples include:

A cookie authentication scheme constructing the user's identity from cookies.

A JWT bearer scheme deserializing and validating a JWT bearer token to construct the user's identity.

Also, I would like to know if I can make an authorisation of my application Independently of the authentication method use : cookies or JWT.

You could follow the document above ,create your custom AuthenticationHandler and AutheticationSchemeOptions,consider where to restore user claims and how to read them in your custom handler

public class MyAuthHandler : AuthenticationHandler<MyAuthenOptions>
    {
        public MyAuthHandler(IOptionsMonitor<MyAuthenOptions> options, ILoggerFactory logger, UrlEncoder encoder, ISystemClock clock) : base(options, logger, encoder, clock)
        {
        }

        protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
        {
            ........
             return AuthenticateResult.Fail/Success/NoResult .....
        }
    }

    public class MyAuthenOptions: AuthenticationSchemeOptions
    {

    }

Regist it in your Program.cs:

builder.Services.AddAuthentication().AddScheme<MyAuthenOptions, MyAuthHandler>("MyScheme", options =>
{
    ........
});

Answer 5

thank you all for your replies.

In my side I define my user identification with cookie authentication.

builder.Services.ConfigureApplicationCookie(options =>
{
    options.Cookie.HttpOnly = false;
    options.Events.OnRedirectToLogin = context =>
    {
        context.Response.StatusCode = 401;
        return Task.CompletedTask;
    };
});

In my first post ask the question :

Also, I would like to know if I can make an authorisation of my application Independently of the authentication method use : cookies or JWT?

I would like to be able to set up an admi account and define the roles.