Skip to main content
HashnodeShayTypeShayType

Command Palette

Search for a command to run...

Sessions vs Jwt vs Cookies

Updated
3 min read
Sessions vs Jwt vs Cookies
S
Shay

before starting the war , allow me to explain what these three contenders are !
at the end it might not even be a fight .

What is Session ?

Session is just a record. When you open some website there some data can be stored by the frontend in your sessionStorage . It only exists till the web page is opened , once you close the page it gets cleared.

It tells the webpage that you are still on that page. data can be anything stored in key value pair .

What is Jwt ?

jwt is jsonwebtoken .

yes it is a token which is in encrypted form . It has 3 parts

  • head - algorithm used

  • payload - data stored

  • secret - a random string set by developer to sign the token ( it is like artist signing his art so that he can know it is his art not duplicate )

this jwt has an expiry also set by developer .

it is sent by backend to frontend to preserve.

every data / task that requires authentication , this jwt is sent along with request , backend verifies than allow you that task or give data .Its like your id card that allows to access area that is only reserved for authenticated users.

Once the jwt expires you are automatically logged out . Have to login again for fresh jwt .

before you make any guess , let me tell you it is just an object with key value pairs . the web store data about the user , one of them is jwt .

Now that you have understood all , you might have a hint . We are discussing various methods available to web to authenticate user .

Types of Authentication

  1. Statefull Auth : here the session is created by storing the data to maintain a state in server . it gives control to server , if it deleted that state then the user becomes unAuthenticated . maintaining a state is just fancy for storing tokens that is also sent to users. when any req is hit the token is used to authenticate. If developer delete the token from db then user cannot be authenticated till server creates new and give it to user.

  2. Stateless Auth : Here no token is stored in db to maintain state. Jwt is used here to sign token and give it user . these token are verified at servers every user want to access some data or method reserved for authenticated user.
    here developer can not instantly revoke as the token reside at frontend . Jwt can only expire , after that developer can only decide not to generate a new jwt for a user.

so the difference between sessions nd Jwt is in the method they use to verify a user. Session stores info so statefull and Jwt auth is stateless so no token is stored at server side .

when to use which

  • Use Sessions for traditional, server-rendered web applications on a single domain where immediate session invalidation and simple state management are priorities.

  • Use JWTs for APIs, mobile apps, microservices, and cross-domain applications where statelessness and horizontal scalability are critical.

  • Hybrid Approach: Many modern systems use sessions for the web frontend (for CSRF protection and easy revocation) and JWTs for the API (to enable stateless scaling for backend services).

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

S

ShayType

42 posts

You can call me Shay . I have started writing blogs on some tech related topics . If you ever read it then drop a review.