re: Do you need OAuth/OAuth2/OpenID Connect? VIEW POST

re: Tomcat, for example, manages a user session where it stores the session ID in either a cookie or the URL - for browsers that don't have cookies ena...

Ah, yeah, seems to be pretty standard in Java stuff, which I avoided because of some experiences with Tomcat. ASP.NET uses a separate auth cookie from the session cookie. Even way back when I was doing PHP, it never occurred to me to lump the auth in with the session.

Sessions have made it on my list of top hated things, I wouldn't use them for anything. But, comparing auth cookie without session vs auth token, tokens look like the better option.

code of conduct - report abuse