1

I have a system consisting of a custom software and an HTTP server. The software will send some requests with some headers and the HTTP server will send response back.

Now I have some custom authentication related headers that the server will send to the software, the software will keep those headers and send them back in each additional requests to bypass the authentication process.

Based on my understanding, this should be done using cookies. However in the custom software development adding normal headers is easy while adding cookies are harder to implement, and using normal headers works functionally as well based on testing.

What I want to know is, is there any security reason and/or other reasons that a cookie should be used instead of a normal HTTP custom header?

cr001
  • 195
  • 2
  • 8
  • Cookies are also often set by sending a header from the server - in node for example: `res.setHeader('Set-Cookie', 'sessionCookie=value; HttpOnly');` – shearn89 Dec 17 '21 at 09:56

1 Answers1

2

That is more a software development question and likely to attract better answers on the StackOverflow, Software Engineering or possibly the security SE sites.

But the most simple answer is that a header is set by the client and generally static, like for example including a particular API token with every request.

Sessions and cookies get set by the server. The later gives the server more control and arguably better security. The server can expire them while not invalidating the actual credentials with which you authenticate, making you re-authenticate (for example always after X hours or some idle time) or change their value to prevent session high jacking or replay attacks.

Bob
  • 5,805
  • 7
  • 25