Test your understanding of session-based versus token-based authentication for REST APIs, including differences in cookies, JWTs, refresh tokens, expiration, revocation, and CSRF protection. This easy-level quiz helps you reinforce key concepts and best practices in modern API security.
Where is user session data typically stored when using classic session-based authentication for REST APIs?
Explanation: Session-based authentication stores session data on the server, which allows the server to track user states securely. In token-based authentication using JWTs, most data is stored in the token itself, not on the server. Storing session data in the request URL or on the user's operating system is insecure and not a standard practice for API authentication.
Why are JWTs (JSON Web Tokens) considered stateless in token-based authentication for REST APIs?
Explanation: JWTs are stateless because they encapsulate user information within the token, removing the need for server-side session storage. Using server-side lookups or session IDs undermines statelessness. JWTs can be stored in cookies, but that is a storage mechanism, not the reason for statelessness.
What is the main purpose of a session ID in a session-based authentication system for REST APIs?
Explanation: A session ID uniquely identifies a user's session stored on the server, allowing the server to recognize authenticated users. Session IDs do not store passwords, generate routes, or handle header encryption. The other options describe functions not associated with session IDs.
Which field in a JWT defines when the token will become invalid for authentication purposes?
Explanation: The 'exp' (expiration) field in a JWT specifies when the token expires and is no longer valid. 'aud' stands for audience, 'nbf' means not before (the start time a token is valid), and 'sig' refers to the token's signature section. Only 'exp' directly controls the expiration.
What is the primary role of a refresh token in a token-based authentication system for REST APIs?
Explanation: The refresh token is used to get a new access token without requiring the user to log in again, extending the authenticated session securely. It does not log users out, encrypt data, or replace passwords. Those tasks are handled differently in authentication systems.
Which authentication method is more vulnerable to CSRF attacks in REST API contexts, and why?
Explanation: Cookie-based authentication is more vulnerable to CSRF because browsers attach cookies automatically to each request, which can be exploited. JWTs in localStorage or as Bearer tokens in headers are not automatically sent, reducing CSRF risk. httpOnly cookies add some protection but still are included in requests.
In session-based authentication, how can a server immediately revoke a user's session after logout?
Explanation: By deleting the session data on the server, the server can invalidate the session immediately, making further requests unauthorized. Changing a password, changing a profile picture, or updating browser settings do not directly affect the session's validity.
Why is immediate token revocation challenging with JWT-based authentication for REST APIs?
Explanation: JWTs do not depend on server-state and are valid until their expiration, so revoking them before that point is difficult unless additional infrastructure like blacklists is used. JWTs are not always stored in plaintext, and normally are not tied to a central real-time blacklist. JWTs do not require server session lookups for validation.
Which location is recommended for storing JWTs in the browser to reduce the risk of XSS attacks?
Explanation: httpOnly cookies cannot be accessed by JavaScript, making them more secure against XSS attacks than localStorage, indexDB, or DOM variables. localStorage and indexDB are accessible to client-side scripts, increasing exposure. DOM variables are also vulnerable in case of XSS.
How is a Bearer token typically sent when authenticating requests to a REST API?
Explanation: Bearer tokens should be transmitted in the Authorization header to ensure security and standardization. Sending tokens in URLs, body fields, or domain names can expose them or cause compatibility issues. The Authorization header is specifically intended for such credentials.
Which authentication approach generally scales better across distributed REST API servers?
Explanation: Token-based approaches like JWTs are stateless, so any server can verify the token, making scaling easier. Session-based methods with in-memory storage require sharing state across servers, which is less efficient. Browser cache and desktop app tokens are not practical or secure for scaling authentication across distributed systems.
For REST API authentication, what is the main purpose of an access token?
Explanation: An access token is used to authorize the client to access specific API endpoints as a certain user. It is not used to transmit private keys, display UI components, or serve as a permanent identifier; those are handled by separate mechanisms.
Which cookie attribute reduces the risk of CSRF attacks in REST API authentication?
Explanation: The SameSite attribute tells the browser not to send cookies with cross-site requests, which helps defend against CSRF. While 'expires' and 'max-age' control the cookie's life and 'domain' restricts its scope, neither are designed specifically for CSRF mitigation.
What is one main security advantage of making REST API tokens expire after a short period?
Explanation: Short-lived tokens minimize the potential damage an attacker can do with a compromised token by restricting its validity period. Typing speed, network latency, and password complexity are unrelated to token expiration and do not have an impact on token security.
Which authentication method is usually preferred in mobile apps interacting with REST APIs?
Explanation: Token-based authentication is preferred for mobile apps due to its statelessness and flexibility across platforms. Session-based methods and volatile cookies are less mobile-friendly, while operating system password caching is not a standard authentication approach for REST APIs.
How can a REST API server revoke a user's refresh token before its scheduled expiration?
Explanation: To immediately revoke a refresh token, the server can remove or add it to a blacklist, ensuring it cannot be reused. Deleting the application's cache, shortening the token’s name, or updating the user's email does not directly revoke a token’s validity.