DEV Community

Cover image for Token vs Session Authentication

Token vs Session Authentication

Aleksandar Vasilevsk on October 09, 2019

Originally published at https://www.codespot.org HTTP (HyperText Transfer Protocol) HTTP is a protocol for communication between the cl...
Collapse
 
nathilia_pierce profile image
Nathilia Pierce • Edited

I say that session cookies are more secure than JWTs. You should take a look at an alternative to JWTs, PASETO. And don't forget to read a blog post about what's wrong with JWT. You shouldn't use JWTs for authentication.

Never index by secret values!

Another blog post on why you shouldn't use JWTs for sessions.

A blog post about indexing by secrets and timing attacks in general.

Collapse
 
svenvarkel profile image
Sven Varkel

I'm a bit confused about "The user state is not stored on the server with this approach instead it is stored in the token."

and in the next paragraph there is "Generally, the JSON Web Token scales much better with the size of the application because it is stateless,"

Can you explain, please?

Collapse
 
vasilevskialeks profile image
Aleksandar Vasilevsk

When the state is stored on the server like it is with the session approached, the bigger the app is, the more resources will be needed to the server (for example Reddit size) for every user that logs, the server will need to store the user state in the memory. The JWT is stored in the client browser and the server is just doing verification to check if the token is signed, that's why it can scale great with the size of the app.

Collapse
 
khrisl33t profile image
kHRISl33t

I prefer JSON Web Tokens too, but it's not true that you can't scale well with cookies. You can use connect-redis with express-session, which will make it faster (you can still have multiple replicas of your api). Not to mention cookies are more secure than JWT tokens. If someone puts sensitive information in the payload, you are screwed-up, because anyone can decode the payload of the JWT token. It's just a base64 value.

In the end, it will depend on what you are building. :)

Collapse
 
siegen profile image
Siegen

Berry cool !!!

Collapse
 
mschleckser profile image
MSchleckser

Great article. Shared this with fellow nerds on a chat group.

Collapse
 
nathilia_pierce profile image
Nathilia Pierce

And please take note, don't confuse developers who don't know any better(which you may be a victim of this). SSL is outdated and insecure. TLS is the successor to SSL. Please say TLS.

Collapse
 
andredias_1 profile image
André Felipe Dias

I believe you should read this article about Sessions and JWT that shows that JWT is not suited for managing sessions. cryto.net/~joepie91/blog/2016/06/1...

Collapse
 
supunkavinda profile image
Supun Kavinda

In JWT, to validate the token, doesn't the server need to save it in a database? Doesn't it require space?

Or else, how is the validation done?

Collapse
 
vasilevskialeks profile image
Aleksandar Vasilevsk

The JWT is signed from the server with a private key and then it is sent to the client, so the server can verify the token if it's legit or not.

Collapse
 
azeem2793 profile image
Agha Azeem

Very informative article! thanks.
One thing i want to say please mention TLS.
SSL is outdated we should use TLS 1.3 or TLS 1.2 !