Session-Based vs. Token-Based Authentication: Which is better?

Session-based auth

In simple words, session-based authentication uses a special code(session id) stored on your device to remember who you are when you visit a website, keeping you logged in and remembering your information until you leave or log out. let’s take a look step by step.

1. User Login:

Users log in by sending their email and password to the server through a special request.

2. Checking Details:

The server checks if the provided details match what's stored for the user.

3. Creating a Session:

If everything is correct, the server makes a 'session' that holds user info (like user ID, permissions, and time limits). This info is kept safe in the server's storage. Exam or can also be managed using libraries such as express-session.

4. Getting a Session ID:

The server sends this 'session ID' back to the user's device, usually as a cookie in the response.

5. Using the Session ID:

Whenever the user wants something from the server, their device automatically includes this session ID in its requests.

6. Server Checks:

The server uses this session ID to find the stored information about the session user in the session storage.

Here’s how session works:

· When the user logs in, the server creates a session for that user and sets a cookie in the response containing the session ID.

· The browser automatically includes this session ID cookie in subsequent requests to the server.

· When the server receives a request, express-session middleware uses the session ID from the cookie to retrieve the relevant session data.

· The data stored in req.session (such as userId) becomes available to handle the request.

7. Access Granted:

If everything matches up, the server knows the user is genuine and responds to them with access to what they asked for.

Token-based auth

JWT authentication uses digitally signed tokens containing user information to allow secure and verified access to websites or applications without needing to repeatedly log in. Let’s take a look at the step-by-step workflow of token-based authentication.

1. User Login Request:

Users log in by sending their email and password to the server through a specific request.

2. Credential Verification:

The server verifies the provided credentials against the stored user data.

3. Token Generation:

Upon successful verification, the server creates a token (commonly JWT - JSON Web Token). This token holds user information (claims) such as user_id, permissions.

4. Token Signing and Hashing:

The token is signed with a secret key and processed with a hashing algorithm (like SHA256) to create a hash.

5. Sending the Token:

The server sends this token to the client, which stores it, typically in the browser.

6. Token Storage Options:

The client can store the token in different ways like HttpOnly Cookies, Session Storage, or Local Storage. Storing in HttpOnly Cookies is recommended as it prevents JavaScript access, enhancing security against XSS attacks.

7. Token Expiry and Security:

Tokens often have an expiration time to enhance security.

8. Including Token in Requests:

For every request to the server, the client sends the token in the Authorization header.

It's a good practice to prefix the token with "Bearer ".

9. Server-Side Validation:

Upon receiving a request, the server retrieves the token.

10. Token Validation and User Authentication:

Using the secret key, the server validates the token and extracts claims from it. If the user information from the claims exists in the server's user table, the server authenticates the user, granting access to requested resources.

Key differences

· Storage Location: Sessions are stored on the server, while tokens (JWTs) are stored on the client side.

· Stateful vs Stateless: Sessions are stateful, while tokens are stateless, allowing for better scalability in distributed systems.

· Expiry Handling: Session expiry is managed by the server, whereas token expiry is handled by the token itself.

· Security Measures: JWTs often include digital signatures and support for encryption, enhancing security compared to typical session mechanisms that use cookies, and can be vulnerable to CSRF attacks if not properly protected.

· Usage Flexibility: Tokens (JWTs) offer more flexibility in carrying additional information beyond authentication, useful for authorization and custom data transmission.

Which method should be used?

It depends upon the requirement and nature of the application. Most applications use a hybrid approach, token-based authentication for APIs, and session-based authentication for web-based interactions.