User authentication and registration without cookies?

B

BonBon Slick2017-12-26 22:34:23

User identification

BonBon Slick, 2017-12-26 22:34:23

What is the best way to avoid using cookie authentication on the site?
This is when the user logged into the account, created a cookie, or clicked remember me, also without creating a cookie to remember the user.

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

V

Vladimir Dubrovin, 2017-12-27
@BonBonSlick

There are actually two points here:
1. How to store the session on the client
You can store it inside the DOM of the page (for example, as a hidden form parameter), inside a JS variable, or in the browser's LocalStorage. If permanent storage is meant (after closing the page) - then the alternative to cookies is only LocalStorage.
2. How to transfer it to the server.
You can pass it as a request parameter or as a header (if the requests are via Ajax).
But the main question is why do this, because. all of these methods are less secure than HTTP Only cookies, any XSS vulnerability will lead to session hijacking.

D

Dimonchik, 2017-12-26
@dimonchik2013

information about the user must be transmitted somewhere,
usually this is an http header
, but you can also get/post with
no other parameters