Hi,
I am reading the programming phoenix book and they are implementing a session based login system, but when browsing the phoenix docs I noticed the Phoenix.Token section which describes itself as the following:
Tokens provide a way to generate and verify bearer tokens for use in Channels or API authentication.
Is this different to Phoenix Sessions? If so what is the difference? If not does phoenix sessions use this?
Also quick side query, phoenix has a secret key base stored in the config files but also a signing_salt in the endpoint… What are the differences between these two aswell?
Thanks for your help!
Apologies for the learner questions,
Alaister
3 Likes
When using Phoenix Sessions you use (by default) sessions stored in a cookie. This is often used for regular web apps where you render HTML and send cookies along with your requests.
Info about Phoenix sessions: http://www.phoenixframework.org/docs/sessions
If you’re using channels or an API on the other hand you don’t use regular cookies. Instead you generate a token that the user passes with each request to identify themselves.
Phoenix.Token contains functionality for generating and verifying tokens.
Sessions and tokens are not unique to Phoenix and there are a lot of information on Google on this stuff if you want to know read more general information. 
The secret key base is used for various things such as generating secrets, signing cookies and tokens and so on. It should be kept secret!
The signing salt (I believe) is used as an additional input when encrypting data in Phoenix (cookies for instance) to make it a bit more secure.
General info about salt: https://en.wikipedia.org/wiki/Salt_(cryptography)
1 Like
