{
	"id": "7c2bc38a-5d32-43f8-aede-a4d67cf8e0b0",
	"created_at": "2026-04-06T00:11:54.581879Z",
	"updated_at": "2026-04-10T13:12:26.581167Z",
	"deleted_at": null,
	"sha1_hash": "a02b1b40932b524364030644efabd59831e7910e",
	"title": "Session vs Token Based Authentication",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 215975,
	"plain_text": "Session vs Token Based Authentication\r\nBy Sherry Hsu\r\nPublished: 2018-07-27 · Archived: 2026-04-05 12:50:03 UTC\r\nWhy do we need session or token for authentication?\r\nHTTP is stateless. All the requests are stateless. However, there are situations where we would like our states to be\r\nremembered. For example, in a on-line shop, after we put bananas in a shopping cart, we don’t want our bananas\r\nto disappear when we go to another page to buy apples. ie. we want our purchase state to be remembered while we\r\nnavigate through the on-line shop!\r\nTo overcome the stateless nature of HTTP requests, we could use either a session or a token.\r\nSession Based Authentication\r\nIn the session based authentication, the server will create a session for the user after the user logs in. The session\r\nid is then stored on a cookie on the user’s browser. While the user stays logged in, the cookie would be sent along\r\nwith every subsequent request. The server can then compare the session id stored on the cookie against the session\r\ninformation stored in the memory to verify user’s identity and sends response with the corresponding state!\r\nPress enter or click to view image in full size\r\nSession Based Authentication flow\r\nhttps://medium.com/@sherryhsu/session-vs-token-based-authentication-11a6c5ac45e4\r\nPage 1 of 3\n\nToken Based Authentication\r\nMany web applications use JSON Web Token (JWT) instead of sessions for authentication. In the token based\r\napplication, the server creates JWT with a secret and sends the JWT to the client. The client stores the JWT\r\n(usually in local storage) and includes JWT in the header with every request. The server would then validate the\r\nJWT with every request from the client and sends response.\r\nPress enter or click to view image in full size\r\nToken Based Authentication flow\r\nThe biggest difference here is that the user’s state is not stored on the server, as the state is stored inside the token\r\non the client side instead. Most of the modern web applications use JWT for authentication for reasons including\r\nscalability and mobile device authentication.\r\nNode Modules for JWT\r\njsonwebtoken library can be used to created the JWT token on the server. Once the user is logged in, the client\r\npasses the JWT token back on the header.authorization.bearer attribute.\r\n{\r\n method: \"GET\",\r\n headers:{\r\n \"Authorization\": \"Bearer ${JWT_TOKEN}\"\r\n }\r\n}\r\nMiddleware, express-jwt, can be used to validate the JWT token by comparing the secret.\r\nScalability\r\nhttps://medium.com/@sherryhsu/session-vs-token-based-authentication-11a6c5ac45e4\r\nPage 2 of 3\n\nSession based authentication: Because the sessions are stored in the server’s memory, scaling becomes an issue\r\nwhen there is a huge number of users using the system at once.\r\nGet Sherry Hsu’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nToken based authentication: There is no issue with scaling because token is stored on the client side.\r\nMultiple Device\r\nSession based authentication: Cookies normally work on a single domain or subdomains and they are normally\r\ndisabled by browser if they work cross-domain (3rd party cookies). It poses issues when APIs are served from a\r\ndifferent domain to mobile and web devices.\r\nToken based authentication: There is no issue with cookies as the JWT is included in the request header.\r\nToken Based Authentication using JWT is the more recommended method in modern web apps. One drawback\r\nwith JWT is that the size of JWT is much bigger comparing with the session id stored in cookie because JWT\r\ncontains more user information. Care must be taken to ensure only the necessary information is included in JWT\r\nand sensitive information should be omitted to prevent XSS security attacks.\r\nReference\r\nSource: https://medium.com/@sherryhsu/session-vs-token-based-authentication-11a6c5ac45e4\r\nhttps://medium.com/@sherryhsu/session-vs-token-based-authentication-11a6c5ac45e4\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://medium.com/@sherryhsu/session-vs-token-based-authentication-11a6c5ac45e4"
	],
	"report_names": [
		"session-vs-token-based-authentication-11a6c5ac45e4"
	],
	"threat_actors": [],
	"ts_created_at": 1775434314,
	"ts_updated_at": 1775826746,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a02b1b40932b524364030644efabd59831e7910e.pdf",
		"text": "https://archive.orkl.eu/a02b1b40932b524364030644efabd59831e7910e.txt",
		"img": "https://archive.orkl.eu/a02b1b40932b524364030644efabd59831e7910e.jpg"
	}
}