BiteSizedChunks.comLearn one small thing at a time.

Course contentsShow

909Session-Based Authentication Fundamentals
910Session Storage Options
911Session Stickiness and Load Balancing
912Token-Based Authentication Fundamentals
913JWT Structure and Claims
914Stateless Token Verification
915Token Expiration and Refresh Tokens
916Session vs Token Tradeoffs
917Token Revocation Strategies
918Cookie vs Bearer Token Transport
919Hybrid Session-Token Patterns
920OAuth2 Fundamentals and Use Cases
921OAuth2 Roles: Resource Owner, Client, Server
922Authorization Code Flow
923PKCE: Proof Key for Code Exchange
924Implicit Flow and Why It's Deprecated
925Client Credentials Flow
926Access Tokens vs Refresh Tokens
927Token Introspection and Validation
928OpenID Connect (OIDC) Overview
929ID Tokens and the UserInfo Endpoint
930OAuth2 Scopes and Consent
931OAuth2 Security Best Practices
932Multi-Tenant OAuth2 and Identity Federation
933Role-Based Access Control (RBAC) Fundamentals
934RBAC Implementation Patterns
935Attribute-Based Access Control (ABAC) Introduction
936ABAC Policy Engines
937Access Control Lists (ACLs)
938Relationship-Based Access Control (ReBAC)
939Permission Inheritance and Hierarchies
940Coarse-Grained vs Fine-Grained Authorization
941Policy Decision Points (PDP) and Enforcement Points (PEP)
942Caching Authorization Decisions
943Authorization in Microservices
944Auditing and Compliance for Authorization
945Token Propagation Across Services
946Token Refresh in Distributed Systems
947Distributed Session Management
948Token Revocation at Scale
949Clock Skew and Token Validation
950Auth Service Single Point of Failure
951Caching Authorization Decisions
952Cross-Region Authentication
953Service-to-Service Authentication
954Distributed Auth Audit Logging

909Session-Based Authentication Fundamentals
910Session Storage Options
911Session Stickiness and Load Balancing
912Token-Based Authentication Fundamentals
913JWT Structure and Claims
914Stateless Token Verification
915Token Expiration and Refresh Tokens
916Session vs Token Tradeoffs
917Token Revocation Strategies
918Cookie vs Bearer Token Transport
919Hybrid Session-Token Patterns
920OAuth2 Fundamentals and Use Cases
921OAuth2 Roles: Resource Owner, Client, Server
922Authorization Code Flow
923PKCE: Proof Key for Code Exchange
924Implicit Flow and Why It's Deprecated
925Client Credentials Flow
926Access Tokens vs Refresh Tokens
927Token Introspection and Validation
928OpenID Connect (OIDC) Overview
929ID Tokens and the UserInfo Endpoint
930OAuth2 Scopes and Consent
931OAuth2 Security Best Practices
932Multi-Tenant OAuth2 and Identity Federation
933Role-Based Access Control (RBAC) Fundamentals
934RBAC Implementation Patterns
935Attribute-Based Access Control (ABAC) Introduction
936ABAC Policy Engines
937Access Control Lists (ACLs)
938Relationship-Based Access Control (ReBAC)
939Permission Inheritance and Hierarchies
940Coarse-Grained vs Fine-Grained Authorization
941Policy Decision Points (PDP) and Enforcement Points (PEP)
942Caching Authorization Decisions
943Authorization in Microservices
944Auditing and Compliance for Authorization
945Token Propagation Across Services
946Token Refresh in Distributed Systems
947Distributed Session Management
948Token Revocation at Scale
949Clock Skew and Token Validation
950Auth Service Single Point of Failure
951Caching Authorization Decisions
952Cross-Region Authentication
953Service-to-Service Authentication
954Distributed Auth Audit Logging

← System Design

Lesson 918 of 1,919·24. Authentication and Authorization at ScalePro lesson

Cookie vs Bearer Token Transport

Storing tokens in cookies (auto-sent, CSRF concerns) vs Authorization header (explicit, CORS required) and security implications.

This lesson is for subscribers

You've completed the free preview. Subscribe to unlock every lesson in every course.

See pricing Back to course