Understanding Surrogate Advertising

surrogate advertising digital marketing strategy
S
Sunny Goyal

Founder and Creator

 
November 25, 2025 15 min read
Understanding Surrogate Advertising

TL;DR

This article covers surrogate advertising, a tactic where restricted products are promoted indirectly. It includes the history, types, benefits, and legal aspects of surrogate advertising, offering strategies for implementation and measuring success. Explore real-world examples and the future outlook in the digital marketing landscape.

Introduction: The Authentication Landscape

Ever wonder how websites magically remember you after you close your browser? It's all thanks to authentication methods like session cookies and jwt tokens, which are, like, the gatekeepers of the web. Session cookies act as a temporary pass, letting the server know who you are for that visit, while jwt tokens are more like a self-contained digital ID, proving your identity across requests.

Authentication is super important, obviously. (Strong Authentication: Definition & Security Factors - Okta) Think of it as the digital bouncer for your online accounts.

  • First off, it's about protecting user data. (What is Data Protection and Privacy? - Cloudian) nobody wants their info leaked, right?
  • It's also key for preventing unauthorized access; imagine someone hacking your bank account – nightmare fuel!
  • And it's about maintaining application integrity, so things don't go haywire because some random dude messed with the system.

So, what's the deal with these cookies and tokens? Well, samuele spurio explains it pretty well:

  • Session cookies are like a coat check ticket. The server holds your "coat" (your session data) and gives you a "ticket" (the cookie) to prove it's yours. So, server-side sessions with client-side identifiers.
  • JWT's (JSON Web Tokens), on the other hand, are more like a digital passport. It's all self-contained and stored client-side.

Which one's better? Honestly, it's not that simple, and it depends on your needs. Let's dive deeper, shall we?

Understanding Session Cookies

So, you know how websites keep you logged in even after you close the tab? Session cookies are a big part of that seamless experience. They're not as tasty as the ones your grandma makes, but they're pretty crucial for keeping your online life smooth.

Session cookies are like temporary passes that websites give you after you log in. They're all about creating a continuous, seamless experience while you're browsing.

  • User login process: You enter your username and password. The server checks if it's correct – you know, the usual drill.
  • Server-side session creation: If everything checks out, the server creates a session just for you. This session is stored on the server. This "session data" typically includes things like user preferences, shopping cart contents, or temporary authentication states.
  • Cookie storage in browser: The server then sends a unique session id to your browser, which gets stored as a cookie. This cookie doesn't store your personal data directly, which is a good thing because it reduces the exposure of sensitive information on the client-side.
  • Session ID exchange: Every time your browser makes a request to the server, it sends that session id along. The server uses the id to retrieve your session data.

Session cookies have some pretty neat advantages. They're like the reliable workhorses of web authentication.

  • Simplicity of implementation: Setting up session cookies isn't rocket science. Most web frameworks have built-in support, making it relatively easy for developers to get started.
  • Centralized session management: Because session data is stored on the server, it's easier to manage and control. Think of it as having a central control panel for all active user sessions.
  • Easy revocation of sessions: If you need to log someone out—say, if their account is compromised—you can simply delete their session on the server. Boom, done.

It's not all sunshine and rainbows, though. Session cookies come with their own set of security concerns.

  • csrf attacks: Cross-Site Request Forgery (csrf) attacks can trick users into performing actions they didn't intend to. Imagine someone unknowingly transferring money from their bank account because of a malicious link.
  • session hijacking: If an attacker gets their hands on a session id, they can impersonate the user. It's like stealing someone's house key and waltzing right in.
  • cookie security flags (httponly, secure, samesite): These flags are like seatbelts for your cookies. httponly prevents client-side scripts from accessing the cookie, secure ensures the cookie is only sent over https, and samesite helps prevent csrf attacks by restricting when the cookie is sent with cross-site requests.

So, session cookies aren't perfect, but they're a solid option for many web applications. Next up, we'll dive into jwt tokens and see how they stack up.

Exploring JWT Tokens

Ever wondered how those single sign-on (sso) experiences work across different apps? JWT tokens have a lot to do with that magic.

Okay, so what is a jwt? Well, it's essentially a string that contains info, signed cryptographically so it can be trusted. Think of it like a digital wax seal on an envelope.

  • Header, payload, and signature: A jwt has three parts separated by dots. The header says what algorithm is used. The payload carries the actual data (claims), like user id or roles. And the signature? That's the digitally signed part which validates the integrity of the token.

  • Base64 encoding: The header and payload are base64 encoded. This encoding makes the token url-safe, which means it can be easily passed around in headers or urls. It's not encryption, though; anyone can decode it. This encoding is intentional for readability and transport, not for security.

  • Cryptographic signing: This is where the security comes in. The signature is created by taking the encoded header, the encoded payload, a secret key, and using the algorithm specified in the header to generate a hash.

  • Stateless authentication: Unlike session cookies, that needs a server to keep track of things, with jwt's the server doesn't need to remember the user. The token itself contains all the necessary information.

Here's a diagram illustrating the JWT authentication flow:

Why are jwt's so popular, then? Well, they have some pretty compelling advantages.

  • Scalability and distributed systems: Since jwt's are stateless, you can scale your applications horizontally without worrying about session stickiness. Each server can validate the token independently. This is especially useful in microservices architectures where different services need to authenticate users without a central session store.
  • Stateless nature: No need to store session data on the server. This simplifies things a lot and reduces the load on your servers. as samuele spurio noted, this eliminates the need for server-side session storage.
  • Cross-domain authentication: JWTs can be used across different domains. This makes them ideal for single sign-on (sso) scenarios where users can log in once and access multiple applications.
  • Information-rich payload: You can include any relevant user information in the payload. Roles, permissions, user id, you name it. Just don't put sensitive information in there, since the payload isn't encrypted.

But, with great power comes great responsibility, right? jwt's aren't foolproof, and you gotta be smart about how you use them.

  • Token expiration: Always set an expiration time on your tokens. If a token is compromised, it will eventually expire.
  • Signature verification: Always verify the signature on the server-side to ensure the token hasn't been tampered with. If the signature is invalid, reject the token.
  • Secret key management: Keep your secret key secret. Don't commit it to your code repository, and rotate it regularly.
  • Preventing replay attacks: Implement measures to prevent replay attacks, where an attacker reuses a valid token. A common stateless approach involves using nonces or timestamps within the token itself, or relying on short expiration times. Including a unique identifier and tracking used tokens reintroduces statefulness, which can be a trade-off to consider.

So, jwt tokens are a powerful tool, but they require careful handling. Next up, we'll look at how these two authentication methods stack up against each other in terms of security and usability.

Session Cookies vs JWT: A Detailed Security Comparison

Alright, let's get into the nitty-gritty of how session cookies and jwt tokens hold up against different security threats. It's not always a clear-cut win for either side; it kinda depends on the specific attack we're talking about, ya know?

So, when it comes to common web attacks, both session cookies and jwt tokens have their weak spots. It's like choosing between getting bitten by a mosquito or stung by a bee—neither's fun, but they're different kinds of awful.

  • xss (cross-site scripting): This one's a biggie. If an attacker can inject malicious scripts into your website that steals cookies or tokens, they can impersonate users. Session cookies, especially if they don't have the httponly flag set, are prime targets. JWTs stored in local storage? Equally vulnerable. Now, if you are using httponly cookies, then it's a bit better but still can lead to other attack vectors, such as DOM-based XSS where the script manipulates the DOM to reveal sensitive information, or if the application logic itself is flawed and exposes data.

  • csrf (cross-site request forgery): Session cookies are particularly vulnerable to csrf attacks, where a malicious website tricks a user's browser into sending unwanted requests to a server. As we touched on earlier, the samesite attribute on cookies helps mitigate this, but it's not a silver bullet, and older browsers might not even support it. JWTs, when stored in cookies with the samesite attribute, are also protected.

  • session fixation: An attacker might try to force a user to use a specific session id. If the website isn't careful about regenerating session ids after login, the attacker could hijack the session once the user logs in. JWTs, being stateless, aren't directly vulnerable to session fixation in the same way, as they don't rely on a server-side session ID.

  • jwt injection: This is where things get interesting. If a server incorrectly validates a jwt, an attacker might be able to craft a malicious token that the server accepts as valid. It's like forging a passport but making it just believable enough to fool the border patrol.

Think of it this way:

Security is never an absolute; it's about layering defenses and mitigating risks. There's no "perfectly secure" solution, just better and worse choices.

Where you stash your cookies and tokens is almost as important as what's in them.

  • Cookie storage limitations: Cookies are relatively small – usually limited to about 4kb. Which is fine for a session id, but not great if you're trying to cram a bunch of user data in there.

  • jwt storage options (local storage vs. cookies): You can store jwt tokens in local storage or cookies. Local storage is easier to access with javascript, but also more vulnerable to xss attacks. Cookies, especially with the httponly flag, are generally more secure, but harder to work with.

  • https requirements: This one's non-negotiable. Always use https. If you're sending cookies or tokens over http, you're basically broadcasting them to anyone who's listening. Seriously, don't do it.

Okay, so a token or session is compromised. Now what?

  • Session revocation strategies: With session cookies, you can simply delete the session on the server. It's like cutting off the water supply to a leaky faucet.

  • jwt revocation challenges: This is where jwt's can get tricky. Once a jwt is issued, it's valid until it expires. There's no way to "un-issue" it. This is why short expiration times are crucial.

  • refresh tokens: To get around the revocation problem, many applications use refresh tokens. A refresh token is a long-lived token that can be used to obtain new access tokens. If a refresh token is compromised, it can be revoked. This is typically done by invalidating the refresh token in a database or a token blacklist, which does reintroduce statefulness on the server, a trade-off for enhanced revocation capabilities.

So, which one's more secure? As you can see, there isn't a easy answer. Both session cookies and jwt tokens have their strengths and weaknesses. It really depends on your specific needs and how well you implement them.

But we're not done yet! Next up, we'll be looking at the impact that these authentication methods have on the overall user experience.

compliance and user experience Considerations

Let's talk compliance and user experience, because nobody wants to use a website if it's a pain, right? And you definitely don't want to get slapped with a fine for not following the rules. So, yeah, it's kinda important!

  • data stored in sessions vs tokens: Session cookies usually only store a session ID, while jwt's can contain more user data. It depends on what you put in there, and how you are storing it. If you're cramming a bunch of personal info into a jwt, you better be really careful about security.

  • user consent: Under gdpr, you need explicit consent to store personal data. If you're using session cookies just for session management, you might be okay under "legitimate interest." This generally applies when the processing is necessary for the performance of a contract or to protect the vital interests of the data subject, and it's not overly intrusive. However, this is a complex legal area, and specific advice should always be sought. But if you're using jwt's to track user behavior, you definitely need consent.

  • right to be forgotten: This is where jwt's can be a pain. since they're stateless, there isnt' really a good way to "delete" a jwt once its out there. Short expiration times are your friend here. With session cookies, it's much easier; just delete the session on the server. This ease of deletion primarily applies to data stored within the server-side session itself, not necessarily other data the application might have stored elsewhere and linked to the user.

  • session timeouts: Session timeouts can be frustrating, but they're a necessary evil for security. You don't want someone's session to stay active forever if they forget to log out, right? Balance is key.

  • token expiration: jwt's also expire, which can lead to a similar experience. If the expiration time is too short, users will have to log in constantly. Too long, and you risk security. Refresh tokens can help, but they add complexity.

  • single sign-on (sso): This is an area where jwt's really shine. samuele spurio mentions how sso uses a centralized authentication provider. With jwt's, you can easily share authentication across multiple applications without forcing users to log in every time.

So, compliance and user experience are closely related. You gotta find a balance between security, privacy, and usability. Next up, let's talk about scalability and performance.

Choosing the Right Approach: A Decision Guide

Okay, so you've weighed the pros and cons, but how do you actually pick the right authentication method? It's not always obvious, is it?

Choosing between session cookies and jwt tokens isn't just a technical decision; it's a strategic one. You gotta think about the bigger picture.

  • Application architecture: Are you building a monolithic app or a distributed microservices architecture? For simpler apps, session cookies might be just fine. But if you're dealing with a bunch of services that needs to talk to each other, jwt's are probably gonna be a better fit. This is because jwt's allow each service to independently verify the token's authenticity and claims without needing to query a central session store.
  • Security requirements: What kind of data are you protecting? If you're handling sensitive financial data, you'll need a different approach than if you're building a simple blog. Think about the threats you're most concerned about – xss, csrf, etc. and choose accordingly.
  • Scalability needs: How many users do you expect to have? If you're anticipating massive scale, the stateless nature of jwt's can be a lifesaver. Session cookies requires more server resources.
  • Development resources: How much time and expertise do you have? Session cookies are generally easier to implement, while jwt's requires a bit more setup and careful handling. This "more setup and careful handling" includes things like secure key management for signing tokens, robust validation logic, and potentially implementing refresh token strategies.

Session cookies are like that old reliable car you can always count on. It might not be the flashiest option, but it gets the job done.

  • Simple applications: If you're building a small, straightforward web app, session cookies are often the simplest solution. Think a basic e-commerce site where most of the functionality is on a single server.
  • Centralized session management: If you prefer to keep all your session data in one place, session cookies are the way to go. This makes it easier to manage and revoke sessions, which can be important in industries like healthcare where data security is paramount.
  • High security needs on the server-side: Storing session data on the server can provide an extra layer of security, as sensitive information isn't exposed to the client. Financial institutions often use this approach.

jwt tokens are like a sleek, modern sports car – fast, efficient, but requires a skilled driver.

  • Distributed systems: If you're building a system with multiple microservices, jwt's are a great choice. They allow each service to authenticate users independently, without having to rely on a central session store.
  • Stateless apis: If you're building a rest api, jwt's are a natural fit. They allow you to authenticate requests without having to maintain server-side sessions.
  • Cross-domain authentication: If you need to authenticate users across different domains, jwt's are the way to go. This is common in single sign-on (sso) scenarios, where users can log in once and access multiple applications.

So, you've got the authentication sorted, but what about making it easier for users?

Conclusion: Balancing Security and Usability

So, after all that deep diving, still wondering which authentication method reigns supreme? Truth is, there's no ultimate winner, and you probably knew that already, right? It really boils down to a balancing act.

  • No one-size-fits-all solution exists, unfortunately. What works wonders for a small startup might be a security nightmare for a large enterprise. A healthcare provider handling sensitive patient data will have very different needs than a retail store just trying to remember your shopping cart. You really need to think about your apps architecture and the data you are trying to protect.

  • Security is a continuous process, not a one-time setup. Don't just set it and forget it. New threats pop up all the time, and what was secure yesterday might be vulnerable tomorrow. Regularly review your authentication methods, update your libraries, and keep an eye on security best practices. As samuele spurio points out, tokens needs to be securely generated and validated. This is critical to prevent vulnerabilities like token injection or unauthorized access, as discussed earlier.

  • Stay informed about evolving threats and compliance requirements. The world of web security is constantly changing. Keep up with the latest vulnerabilities, attack vectors, and compliance standards like gdpr. Attend security conferences, read security blogs, and follow security experts on social media. You know, do your homework.

Ultimately, choosing between session cookies and jwt tokens depends on finding the sweet spot between rock-solid security and a smooth, user-friendly experience. There are tradeoffs either way. Pick the approach that best fits your specific needs, and remember that security is a journey, not a destination. And, hey, don't be afraid to mix and match techniques to create a more robust system. For example, you might use session cookies for general website access and jwt tokens for specific api endpoints that need to be consumed by external applications.

S
Sunny Goyal

Founder and Creator

 

Sunny Goyal is the Founder and Creator of GetDigitize.com, a forward-thinking platform dedicated to helping businesses and individuals navigate the ever-evolving digital landscape. With a passion for democratizing digital transformation, Sunny has built GetDigitize as a comprehensive resource hub that bridges the gap between complex technology concepts and practical, actionable insights. As an entrepreneur and digital strategist, Sunny brings years of hands-on experience in guiding organizations through their digitization journeys. His expertise spans across digital marketing, business automation, emerging technologies, and strategic digital planning. Through GetDigitize, he has helped countless businesses streamline their operations, enhance their online presence, and leverage technology to drive growth.

Related Articles

How to Develop a Strong Digital Marketing Strategy
digital marketing strategy

How to Develop a Strong Digital Marketing Strategy

Learn how to create a strong digital marketing strategy to boost your brand's online presence, engage your audience, and achieve your business goals. Includes actionable steps and expert insights.

By David Kim December 3, 2025 8 min read
Read full article
How to Craft an Impactful Advertising Strategy
advertising strategy

How to Craft an Impactful Advertising Strategy

Learn how to craft an impactful advertising strategy that drives digital transformation. Master target audience definition, channel selection, and content optimization.

By David Kim December 3, 2025 13 min read
Read full article
A Campaign Plan to Increase Marketing Effectiveness
marketing effectiveness

A Campaign Plan to Increase Marketing Effectiveness

Learn how to create a marketing campaign plan that increases effectiveness. Get insights on setting goals, identifying your audience, and measuring ROI for digital transformation.

By David Kim December 2, 2025 10 min read
Read full article
A Comprehensive Overview of Digital Marketing Strategy Frameworks
digital marketing strategy framework

A Comprehensive Overview of Digital Marketing Strategy Frameworks

Explore various digital marketing strategy frameworks and learn how to build your own using a practical 7-step process. Enhance your marketing efforts with proven models.

By Rachel Chen December 2, 2025 8 min read
Read full article