Session based authentication

• In session based authentication server stores the user information and each users has a corresponding session ID to validate them.
• Session based or token based authentication is a process that allows the server to handle multiple requests from the same user without asking the user to login again
• When user log out server ends the session or invalidate the token and revokes the authentication

Most of the time this session ID and Token is shared to browser in form of HTTP cookie. For each request this cookie is included for validating the user

Token based Authentication

• Token-based authentication system stores this info directly in some sort of token.
• Using token server decodes it for user identity and it reduces the process of storing the session ID's

Token auth flow

• Users login with their credentials.
• Those credentials are provided to server for validation and if those are valid a signed token will be given to user
• For each request and response this signed token is included for user identity
• This token can be included in headers or cookies
• Every time server upon validating the token shares the resources for user

Token security

• Integrity of token is protected by signing the token and verifying its signature each time when it arrives at server
• Server uses secret key to generate the special string for signing the token. If any user or third party tampers the token signature will be not valid

Check for JSON Web Tokens here