There's a general misunderstanding when it comes to the relation between these two topics. There are people that think these two can only be used exclusively, such as token versus cookie, when both can be used together because both have different purposes.
We will see how they differ and how they can play together to help you manage the authentication of your application.
Without going into the very basics of cookies, we will show the relevant parts of them with respect to authentication. Cookie-based authentication has been the default, tried-and-true method for handling user authentication for a long time.
Let's look at the flow of traditional cookie-based authentication:
- The user enters their login credentials, usually username/email and password.
- The server checks that the credentials are correct, and if the application needs a session, it creates it and stores it in a database, in memory or as a part of the following cookie (though it is the...