Skip to content

Token vs Session Authentication

Aleksandar Vasilevsk on October 09, 2019

Originally published at HTTP (HyperText Transfer Protocol) HTTP is a protocol for communication between the cl... [Read Full]
markdown guide

I say that session cookies are more secure than JWTs. You should take a look at an alternative to JWTs, PASETO. And don't forget to read a blog post about what's wrong with JWT. You shouldn't use JWTs for authentication.

Never index by secret values!

Another blog post on why you shouldn't use JWTs for sessions.

A blog post about indexing by secrets and timing attacks in general.


I prefer JSON Web Tokens too, but it's not true that you can't scale well with cookies. You can use connect-redis with express-session, which will make it faster (you can still have multiple replicas of your api). Not to mention cookies are more secure than JWT tokens. If someone puts sensitive information in the payload, you are screwed-up, because anyone can decode the payload of the JWT token. It's just a base64 value.

In the end, it will depend on what you are building. :)


I'm a bit confused about "The user state is not stored on the server with this approach instead it is stored in the token."

and in the next paragraph there is "Generally, the JSON Web Token scales much better with the size of the application because it is stateless,"

Can you explain, please?


When the state is stored on the server like it is with the session approached, the bigger the app is, the more resources will be needed to the server (for example Reddit size) for every user that logs, the server will need to store the user state in the memory. The JWT is stored in the client browser and the server is just doing verification to check if the token is signed, that's why it can scale great with the size of the app.


Great article. Shared this with fellow nerds on a chat group.


In JWT, to validate the token, doesn't the server need to save it in a database? Doesn't it require space?

Or else, how is the validation done?


The JWT is signed from the server with a private key and then it is sent to the client, so the server can verify the token if it's legit or not.


Very informative article! thanks.
One thing i want to say please mention TLS.
SSL is outdated we should use TLS 1.3 or TLS 1.2 !


And please take note, don't confuse developers who don't know any better(which you may be a victim of this). SSL is outdated and insecure. TLS is the successor to SSL. Please say TLS.

code of conduct - report abuse