What’s the difference between Session-based authentication and JWTs

Session-Based Authentication In this approach, you store the session information in a database or session store and give a session ID to the user. For the user, it’s similar to just getting the Ticket ID of their flight. All other details are stored in the airline’s database. Here’s how it works: - The user makes a login request and the frontend app sends the request to the backend server - The backend creates a session using a secret key and stores the data in session storage - Then, the server sends a cookie back to the client with the unique session ID - The user makes a new request to view another page and the browser sends the session id along with it. - The server verifies the user using this ID.

JWT-based Authentication In the JWT-based approach, you don’t store the session information in the session store. The entire information is available within the token. It’s like getting the flight ticket along with all the details available on the ticket but encrypted. Here’s how it works: - The user makes a login request and it goes to the backend server - The backend server verifies the credentials and issues a JWT. The JWT is signed using a private key. No session storage is involved. - The JWT is passed to the browser using a cookie. For every subsequent request, the browser sends the cookie with the JWT - The server verifies the JWT using the secret private key and extracts the user info.

Which one is better approach-

“It depends” JWTs offer some cool benefits when compared to sessions such as: - No separate storage - Easier to scale the client and server But JWTs also have some disadvantages: - Invalidating a JWT is not easy. With session, you can simply delete them from the session store. - The data in the JWT can become stale - The JWTs aren’t exactly small when it comes to size Ultimately, the choice depends on the security requirements of your application.