Session vs Token-Based Authentication

Hello everyone, today we will discuss a topic: Session vs Token-Based Authentication.

These are two of the most common methods for authenticating users on web application systems. I believe that these are crucial concepts that everyone has encountered when first stepping into the field.

Alright, let's dive in.

1. Overview of Authentication

In short, authentication is the process of identifying users (user identity) to answer the question: Who has just accessed and sent a request to my system? To do this, the user will provide their credentials (usually through username/password) and send them to the server for verification.

2. Session-Based Authentication

How It Works

After a user successfully logs in, the server creates a unique Session ID and stores it in a database, RAM, or similar storage. The Session ID is saved in a cookie and sent back to the client's browser. The server will use this Session ID to authenticate requests from the same user during the session.

Authentication Process

1. The user sends login information (username and password).
2. The server verifies the credentials and creates a session ID stored in a database. The session ID is stored in a cookie and sent to the browser.
3. Every subsequent request from the user includes the cookie containing the session ID.
4. The server checks the session ID in the database to authenticate the user. If the ID is found, it returns the requested resource to the user.

Advantages

• Since session information is stored on the server, the server has full control over the session. For example, if the security team detects a compromised account, they can disable the session ID immediately, logging the user out instantly.

Disadvantages

• Stateful: The server has to store the user's session, turning the application into a stateful one. This is not suitable for distributed or large-scale systems, as sessions need to be synchronized across multiple servers.
• Resource Usage: Storing sessions consumes server resources, especially with a large number of users.

3. Token-Based Authentication (JWT - JSON Web Token)

How It Works

After a user successfully logs in, the server generates a token to identify the user. JWT (JSON Web Token) is a common method used. The token is encrypted and contains authentication information (like user ID, access rights). The token is then sent to the client and stored on the client-side (usually in localStorage or sessionStorage). Afterward, the client sends the token in the HTTP headers (Authorization header) with every request to access resources.

Authentication Process

1. The user sends login information.
2. The server verifies the credentials and generates an encrypted token (JWT). The token is sent to the client and stored in localStorage or sessionStorage.
3. Every subsequent request includes the token in the Authorization header.
4. The server verifies the token's validity to authenticate the user and returns the requested resource.

Advantages

• Stateless: There's no need to store sessions on the server, making it suitable for distributed systems or microservices.
• Scalability: It’s easy to scale since there's no need to synchronize states between servers.

Disadvantages

• Security: If the token is stolen, an attacker can use the token to access the system until it expires.
• Token Management: Invalidating or revoking a token is more challenging because the server doesn't store the token state. You often have to wait for the token to expire or use a blacklist mechanism to disable it.

4. Conclusion

Session vs Token-Based Authentication are the two most popular methods used for authentication. Session-Based Authentication is suitable for small applications or systems that don't need to scale massively. In reality, session-based authentication is widely applied in monolithic systems.

Token-Based Authentication is often used for distributed systems or microservices because of its stateless nature, where the token state is not stored.

As you can see, each method has its own pros and cons. The key is to apply the most suitable method to solve your specific problem.

That concludes my overview of Session vs Token-Based Authentication.

Thank you for your time.

Once again, I'm Phan, A curious and dedicated developer.

See you in the next article!