1
00:00:00,690 --> 00:00:01,770
Instructor: In the last section,

2
00:00:01,770 --> 00:00:03,719
we spoke about authentication

3
00:00:03,719 --> 00:00:05,910
and how it is the exchange of some credentials,

4
00:00:05,910 --> 00:00:07,470
like a username and password

5
00:00:07,470 --> 00:00:10,620
for some identifying piece of information.

6
00:00:10,620 --> 00:00:11,880
The really important part here,

7
00:00:11,880 --> 00:00:16,050
is how we include that identifying piece of information

8
00:00:16,050 --> 00:00:19,020
on any request that we want to be authenticated.

9
00:00:19,020 --> 00:00:20,610
So there's two ways that we will

10
00:00:20,610 --> 00:00:22,980
include this piece of information,

11
00:00:22,980 --> 00:00:27,210
either by cookies or by a manually set token.

12
00:00:27,210 --> 00:00:28,803
Let's talk about each one.

13
00:00:31,770 --> 00:00:33,510
So this is a diagram of the differences

14
00:00:33,510 --> 00:00:37,290
between cookies and the use of tokens for authentication.

15
00:00:37,290 --> 00:00:39,120
On the left-hand side, we have our cookies

16
00:00:39,120 --> 00:00:41,253
and on the right-hand side tokens.

17
00:00:42,240 --> 00:00:45,930
Cookies are, of course I have to make the obligatory joke.

18
00:00:45,930 --> 00:00:47,480
It's not a cookie that you eat.

19
00:00:48,780 --> 00:00:51,330
It's a cookie that is included with HTTP requests

20
00:00:51,330 --> 00:00:53,550
by default, made in your browser.

21
00:00:53,550 --> 00:00:57,000
So whenever you visit a website like say google.com

22
00:00:57,000 --> 00:01:00,930
or ebay.com or anything, github.com,

23
00:01:00,930 --> 00:01:02,850
you have some number of cookies

24
00:01:02,850 --> 00:01:05,400
that are associated with that domain.

25
00:01:05,400 --> 00:01:08,340
The purpose of cookies is to kind of bring state

26
00:01:08,340 --> 00:01:13,320
into what is inherently a stateless protocol, which is HTTP.

27
00:01:13,320 --> 00:01:17,160
The HTTP protocol has no concept of state

28
00:01:17,160 --> 00:01:19,590
and it's solely by including these cookies

29
00:01:19,590 --> 00:01:22,650
or this tiny bit of data on requests

30
00:01:22,650 --> 00:01:24,633
that identify us to the server.

31
00:01:26,190 --> 00:01:29,853
Cookies are included on all HTTP requests by default.

32
00:01:30,690 --> 00:01:32,970
They manifest themselves as a property

33
00:01:32,970 --> 00:01:35,163
on the header of any request.

34
00:01:36,000 --> 00:01:38,430
A server can choose to place information

35
00:01:38,430 --> 00:01:41,640
on a user's cookie that identifies them uniquely

36
00:01:41,640 --> 00:01:43,050
to that very particular server.

37
00:01:43,050 --> 00:01:46,320
So if they were, say, logging into a website we were making,

38
00:01:46,320 --> 00:01:48,750
we could stick a piece of information into this cookie

39
00:01:48,750 --> 00:01:52,710
that says, "This is user ID 12794".

40
00:01:52,710 --> 00:01:55,710
Then on any follow-up request that that user made,

41
00:01:55,710 --> 00:01:59,227
they would have a cookie 12794 that told us,

42
00:01:59,227 --> 00:02:01,650
"Hey this is the same user, they're coming back.

43
00:02:01,650 --> 00:02:03,850
It's another request from this same person".

44
00:02:05,580 --> 00:02:08,220
Cookies are automatically included on all requests

45
00:02:08,220 --> 00:02:12,300
and very importantly, are unique to each domain.

46
00:02:12,300 --> 00:02:14,970
And when I say domain, I'm talking about say,

47
00:02:14,970 --> 00:02:18,600
google.com versus ebay.com.

48
00:02:18,600 --> 00:02:22,260
A cookie that you have that is tied to google.com

49
00:02:22,260 --> 00:02:27,260
is not shared and cannot be shared by default with ebay.com.

50
00:02:27,810 --> 00:02:29,730
That's how we get some level of security

51
00:02:29,730 --> 00:02:31,200
in all of our requests.

52
00:02:31,200 --> 00:02:34,350
That's how if I log into Google and then go to

53
00:02:34,350 --> 00:02:38,070
say, hackerwebsite.com, the hacker website couldn't

54
00:02:38,070 --> 00:02:42,330
lift my cookie from Google and hijack my session.

55
00:02:42,330 --> 00:02:45,990
So cookies cannot be sent to different domains

56
00:02:45,990 --> 00:02:48,270
and that is a level, that is something that exists

57
00:02:48,270 --> 00:02:49,620
for security purposes.

58
00:02:49,620 --> 00:02:53,283
It's so that you cannot easily hijack people's sessions.

59
00:02:57,090 --> 00:03:00,330
Opposed to cookies are the idea of tokens.

60
00:03:00,330 --> 00:03:04,440
Now, tokens really isn't any necessarily codified idea here.

61
00:03:04,440 --> 00:03:06,660
It's something that was in, has been introduced

62
00:03:06,660 --> 00:03:09,750
as a convention to use tokens in place of cookies

63
00:03:09,750 --> 00:03:13,080
where cookies start to fall off as being very useful.

64
00:03:13,080 --> 00:03:15,060
So the most important thing about tokens

65
00:03:15,060 --> 00:03:17,100
is that we have to wire them up manually.

66
00:03:17,100 --> 00:03:19,620
There's nothing done automatically for us with tokens.

67
00:03:19,620 --> 00:03:22,470
We have to literally say when we make a request,

68
00:03:22,470 --> 00:03:25,050
include a header with our token,

69
00:03:25,050 --> 00:03:27,663
which might be a string of letters and characters,

70
00:03:28,890 --> 00:03:30,000
excuse me, letters and numbers.

71
00:03:30,000 --> 00:03:31,140
There we go.

72
00:03:31,140 --> 00:03:32,640
And we're going, we might include it

73
00:03:32,640 --> 00:03:34,653
on a very specific header.

74
00:03:35,790 --> 00:03:39,330
So we have to manually wire up our tokens at all times.

75
00:03:39,330 --> 00:03:42,180
The benefit to tokens, however, is that we can send them

76
00:03:42,180 --> 00:03:44,250
to any domain that we wish.

77
00:03:44,250 --> 00:03:46,470
So if I'm on say, google.com

78
00:03:46,470 --> 00:03:48,600
and I wanna make an authenticated request

79
00:03:48,600 --> 00:03:51,630
to some other entirely different domain,

80
00:03:51,630 --> 00:03:54,330
I can do so by using a token.

81
00:03:54,330 --> 00:03:56,820
I would make my request to that other domain,

82
00:03:56,820 --> 00:03:59,550
I would include my very particular token,

83
00:03:59,550 --> 00:04:02,520
and, poof, I'm authenticated on that other domain.

84
00:04:02,520 --> 00:04:05,340
This starts to be very useful if we start

85
00:04:05,340 --> 00:04:08,190
making a distributed system for our application.

86
00:04:08,190 --> 00:04:09,930
Let's say that we are building an app

87
00:04:09,930 --> 00:04:12,570
that consists of many different servers,

88
00:04:12,570 --> 00:04:14,940
hosted on many different domains

89
00:04:14,940 --> 00:04:17,670
but I still want our, my user to be authenticated

90
00:04:17,670 --> 00:04:19,680
on all these different domains.

91
00:04:19,680 --> 00:04:23,880
That would be the use case of a token, instead of a cookie.

92
00:04:23,880 --> 00:04:25,740
So again, the real differentiator here,

93
00:04:25,740 --> 00:04:28,770
the really real difference is that with cookies

94
00:04:28,770 --> 00:04:31,563
we are restricted to singular domains.

95
00:04:33,000 --> 00:04:34,440
So as we move forward in this section,

96
00:04:34,440 --> 00:04:37,020
we're going to move forward with a token-based response

97
00:04:37,020 --> 00:04:39,450
or token-based authentication system.

98
00:04:39,450 --> 00:04:41,760
And the reason for this is that is just the way

99
00:04:41,760 --> 00:04:43,290
that the industry is trending.

100
00:04:43,290 --> 00:04:45,300
You're here to learn the latest and greatest.

101
00:04:45,300 --> 00:04:47,130
That's what tokens are here for.

102
00:04:47,130 --> 00:04:48,660
Tokens are used much more frequently

103
00:04:48,660 --> 00:04:51,390
with very large applications that need to scale.

104
00:04:51,390 --> 00:04:53,910
And the reason for that are is what we're going to discuss

105
00:04:53,910 --> 00:04:55,920
very shortly, in the next section.

106
00:04:55,920 --> 00:04:56,870
I'll see you there.