loading...
Cover image for Token vs Session Authentication

Token vs Session Authentication

vasilevskialeks profile image Aleksandar Vasilevsk Originally published at codespot.org ・2 min read

Originally published at https://www.codespot.org

HTTP (HyperText Transfer Protocol)

HTTP is a protocol for communication between the client and the server. HTTP is stateless, which means each request doesn't know of any previous actions. For example, when a user logs in, and then navigate through the app, the server will not know that we just logged in without session or token authentication.

Session Authentication

In session authentication, the server is responsible for creating a session for the particular user when the user log's in, after that the id of the session is stored in a cookie on the user browser. For every request sent by the user, the cookie will be sent too, where the server can compare the session id from the cookie with the session information stored on the server so the user identity is verified.

Token Authentication

In token authentication, the server creates a JSON Web Token (JWT) and sends the token to the client. The JSON Web Token usually is stored in a local storage or in the cookie, and it is included in every request made by the user. The server will validate the JSON Web Token. The JSON Web Token authentication is a more modern approach used in newer web applications and for mobile devices. The user state is not stored on the server with this approach instead it is stored in the token.

Alt Text

Scalability

Generally, the JSON Web Token scales much better with the size of the application because it is stateless, there is no need user information to be stored, on the other side sessions can use a lot of the server resources if the application has a lot of traffic.

Security

The JSON Web Token usually is either stored in local storage or cookies, and JavaScript has the access to the storage, this simply means that JSON Web Tokens might be vulnerable to XSS (Cross-site Scripting), that's why very sensitive data should not be stored in the Local Storage. I case when the JSON Web Tokens are stored in the cookies are vulnerable to CSRF (Cross-site Request Forgery) attacks. One way to prevent the CRSF attack is to be sure that the cookie is accessible by only your domain. The JWT also should be with short expiration times and HTTPS/SSL should be used for safe client and server transmission.

Which Is Better?

While sessions and JSON Web Tokens are both viable options, in some situations one is better to be used over the other. For smaller and medium websites, when we got just user login session authentication is usually good. For larger web sites and applications, when we need to handle a lot of requests, JSON Web Token is much better because of scaling.

Posted on by:

vasilevskialeks profile

Aleksandar Vasilevsk

@vasilevskialeks

Software Developer and author of https://www.codespot.org

Discussion

pic
Editor guide
 

I say that session cookies are more secure than JWTs. You should take a look at an alternative to JWTs, PASETO. And don't forget to read a blog post about what's wrong with JWT. You shouldn't use JWTs for authentication.

Never index by secret values!

Another blog post on why you shouldn't use JWTs for sessions.

A blog post about indexing by secrets and timing attacks in general.

 

I prefer JSON Web Tokens too, but it's not true that you can't scale well with cookies. You can use connect-redis with express-session, which will make it faster (you can still have multiple replicas of your api). Not to mention cookies are more secure than JWT tokens. If someone puts sensitive information in the payload, you are screwed-up, because anyone can decode the payload of the JWT token. It's just a base64 value.

In the end, it will depend on what you are building. :)

 

I'm a bit confused about "The user state is not stored on the server with this approach instead it is stored in the token."

and in the next paragraph there is "Generally, the JSON Web Token scales much better with the size of the application because it is stateless,"

Can you explain, please?

 

When the state is stored on the server like it is with the session approached, the bigger the app is, the more resources will be needed to the server (for example Reddit size) for every user that logs, the server will need to store the user state in the memory. The JWT is stored in the client browser and the server is just doing verification to check if the token is signed, that's why it can scale great with the size of the app.

 

Berry cool !!!

 

Great article. Shared this with fellow nerds on a chat group.

 

Very informative article! thanks.
One thing i want to say please mention TLS.
SSL is outdated we should use TLS 1.3 or TLS 1.2 !

 

I believe you should read this article about Sessions and JWT that shows that JWT is not suited for managing sessions. cryto.net/~joepie91/blog/2016/06/1...

 

And please take note, don't confuse developers who don't know any better(which you may be a victim of this). SSL is outdated and insecure. TLS is the successor to SSL. Please say TLS.

 

In JWT, to validate the token, doesn't the server need to save it in a database? Doesn't it require space?

Or else, how is the validation done?

 

The JWT is signed from the server with a private key and then it is sent to the client, so the server can verify the token if it's legit or not.