Cookies vs Basic Auth

session-cookies basic-authentication
loxs picture loxs · Feb 19, 2011 · Viewed 14.8k times · Source

Why almost all websites out there are using cookies instead of basic auth? It can't be only that the user/pass window is ugly and none of them is more secure. They are both insecure (without https).

Answer

Andrew Marshall picture Andrew Marshall · Feb 19, 2011

To logout of a basic auth login the browser often needs to be quit entirely. This means there is no way for the server to log out the user.

I believe basic auth also has more overhead (assuming your cookie size isn't massive), but I might be wrong about that.

HTTP basic auth also sends the username and password with every request, making it potentially less secure because there is more opportunity for interception.

Related questions

How to use cURL to send Cookies?

I read that Send cookies with curl works, but not for me. I have a REST endpoint as: class LoginResource(restful.Resource): def get(self): print(session) if 'USER_TOKEN' in session: return 'OK' return 'not authorized', 401 When I try …

Read More
Invalidating JSON Web Tokens

For a new node.js project I'm working on, I'm thinking about switching over from a cookie based session approach (by this, I mean, storing an id to a key-value store containing user sessions in a user's browser) to a …

Read More
How to delete cookies on an ASP.NET website

In my website when the user clicks on the "Logout" button, the Logout.aspx page loads with code Session.Clear(). In ASP.NET/C#, does this clear all cookies? Or is there any other code that needs to be added …

Read More