In token based authentication, server generates a token which is shared with the client. The client will send this token on subsequent requests to the server. So, I am just wondering how does it differ from cookies mechanism? Cookies also work in similar fashion.
Cookies are saved on a browser. When you use tokens, that's used when the server and client are separated. For example, if there's an android app that connects to a server, they will use the token to send with the request to a secured endpoint.
Token based authentication is used to separate the web application from the identity provider. It establishes a mutual trust between three parties. This allows you to log in using a Facebook account, for instance, but it's also possible that the web application also acts as an identity provider (by keeping track of a user's credentials).
One of the things that security tokens often provide is a "meta environment" where multiple apps are authenticated by the same token. This isn't quite the same thing as Single Signon, but it's close enough that their functions tend to overlap.
Perhaps the most famous token-based security system is Kerberos, which is the underpinning for modern-day Windows domain security as well as an option for other environments such as the Unix-like OS's. Another popular favorite is OAUTH, which allows web applications from different servers to vouch for each other.
An IDE is no substitute for an Intelligent Developer.
Live ordinary life in an extraordinary way. Details embedded in this tiny ad: