Interview Bank
  • Interview Bank
  • Web
    • Persistent Connection and Non Persistent
    • CDN
    • Code Review
    • JWT
      • JWT vs Session Based Authentication
      • JWT Challenge
      • JWE
      • JWS
    • Content Security Policy (CSP)
    • Same-origin Policy (SOP)
    • Cross-Origin Resource Sharing (CORS)
      • Exploiting CORS
    • HTTP Strict Transport Security (HSTS)
    • SQL Injection (SQLi)
    • Password Encryption in Login APIs
    • API Security
      • API Principles
    • Simple bypass PHP
    • Server-side Template Injection (SSTI)
    • Javascript Object and Inheritance
    • HTTP/2
    • Cookie vs Local vs session Storage
    • XML External Entity (XXE)
    • What happened when enter domain name in browser
    • Prototype Pollution - Part 1
    • Prototype Pollution - Part 2
    • Nginx vs Apache
  • OT Security
    • Securing Operational Technology: Understanding OT Security
  • Quantum Computing
    • Quantum Computing: Unveiling the Cryptographic Paradigm Shift
    • Quantum Obfuscation: Shielding Code in the Quantum Era
  • DevSecOps
    • Continuous Integration/Continuous Deployment Pipeline Security
    • Chaos Engineering Overview
      • Security Chaos Engineering
    • Mysql VS redis
    • Kubernetes (k8s)
    • How MySQL executes query
    • REDIS
    • Difference between cache and buffer
  • Windows
    • Pentesting Active Directory - Active Directory 101
    • Pentesting Active Directory - Kerberos (Part 1)
    • Pentesting Active Directory - Kerberos (Part 2)
    • AD vs Kerberos vs LDAP
    • Active Directory Certificate Services Part 1
    • Unconstrained Delegation
    • AS-REP Roasting
    • NTLM Relay via SMB
    • LLMRN
    • Windows lateral movement
    • Constrained Delegation
    • Resource-Based Constrained Delegation
    • IFEO (lmage File Execution Options) Hijacking
  • UNIX
    • Setuid
  • Large Language Models (LLMs)
    • Tokens
    • LangChain
    • Integration and Security
  • Android
    • Keystore
  • Red team development
    • Secure C2 Infrastructure
    • P Invoke in c#
    • D Invoke
    • ExitProcess vs ExitThread
  • Blue Team
    • Indicators of Compromise
    • Methods to prevent Email domain spoofing
    • Windows Prefetching
  • CVE
    • XZ Outbreak CVE-2024-3094
    • Log4J Vulnerability (CVE-2021-44228)
    • SolarWinds Hack (CVE-2020-10148)
    • PHP CGI RCE (CVE-2024-4577)
    • Windows Recall
  • Software Architecture
    • Microservices
    • KVM
  • Docker
    • Overview
    • Daemon Socket
    • Tips to reduce docker size
  • Blockchain
    • Overview
    • Smart Contract
  • Business Acumen
    • Market Research Reports and Perception
    • Understanding Acquisitions
    • Cybersecurity as a Business Strategy
  • Cyber Teams
    • Introduction to Purple Teaming
  • Malware
    • Dynamic Sandbox Limitations
Powered by GitBook
On this page
  • JWT vs. Session Based Authentication (SBA)
  • JWT
  • SBA
  • Advantages of JWT
  • Scalability:
  • Flexibility:
  • Security:
  • Disadvantage of JWT
  • Transmission Security:
  • Storage:
  • Unpredictability:
  • Advantages of SBA
  • Simplicity and Reliability:
  • Revocation Efficiency:
  • Disadvantages of SBA
  • Performance Issues (High Latency) at Scale in Dynamic Environments:
  • Why is JWT good?
  • What to do in the process of choosing the type for a server setting?
  • Long story(code) short:
  • Want MORE security?
  • Interview questions:
  • References
  1. Web
  2. JWT

JWT vs Session Based Authentication

PreviousJWTNextJWT Challenge

Last updated 9 months ago

JWT vs. Session Based Authentication (SBA)

JWT

  • Stateless - server don't need to keep record of the token

SBA

  • Stateful - Sessions are stored server-side for PROPER SBAs

Advantages of JWT

Scalability:

  • Due to their stateless nature, JWTs are ideal for distributed systems.

Flexibility:

  • They can be used across different domains and applications.

Security:

  • When properly implemented, they provide a secure way to handle user authentication.

  • Implement short-lived JWTs and use refresh tokens for renewing access without re-authentications

Disadvantage of JWT

Transmission Security:

  • MUST transmit JWTs over HTTPS

  • Else it can be sniffed/stolen and abused

Storage:

  • Storage of JWTs are entirely on client side, thus it is important to store them securely to prevent XSS attacks and other vulnerabilities

Unpredictability:

  • It does not have revocation efficiency

  • If a valid JWT token stolen during its validity period, it can be used for authentication without the user's knowledge even if the user has logged out

  • To prevent this, additional processing logic at the backend has to be used, this leads to more overhead and partially defeats the purpose of using JWT, when the goal was to be stateless to begin with

Advantages of SBA

Simplicity and Reliability:

  • The server's session record acts as a centralized truth source, making it straightforward to manage user sessions.

Revocation Efficiency:

  • Access can be quickly revoked by deleting or invalidating the session record, ensuring up-to-date session validity.

Disadvantages of SBA

Performance Issues (High Latency) at Scale in Dynamic Environments:

  • The dependency on database interactions for every session validation can introduce latency, especially for high-traffic applications.

  • In applications with dynamic clients, this latency can impact user experience, making session-based authentication less ideal in such scenarios.

Why is JWT good?

  • Cross Site Request Forgery (CSRF) uses cookies to direct forged attacks towards a target, if the user has a cookie that is stored on the browser, this attack vector will be able to abuse the cookie to accomplish their malicious actions

  • As JWT does not use cookies, it negates CSRF attacks

What to do in the process of choosing the type for a server setting?

Python choose if else to determine your needs XD

requirement = input("What are your needs?") 

if ("stateless" in requirement.lower()):
	print("JWT")
elif ("scalable" in requirement.lower()):
	print("JWT")
elif ("secure" in requirement.lower()):
	print("JWT")
elif ("immediate control" in requirement.lower()):
	print("SBA")
else:
	print("Rethink what you want :)")

Long story(code) short:

If you need stateless, scalable, and/or more security then choose JWT

If you want efficient immediate control, choose SBA

Want MORE security?

  • Meet JSON Web Encryption (JWE)

  • It is the encrypted form of JWT, using 5 header sections instead of 3

  • It is significantly considered harder to decrypt compared JWT, providing more security for end users (Disclaimer: This still DOES NOT mean you should store sensitive information in the JWE)

  • More about JWE

    • https://www.forgebox.io/view/JWTSignEncrypt

    • https://www.scottbrady91.com/jose/json-web-encryption

Interview questions:

  • What is the difference between JWT and session based authentication?

  • What is the advantage and what's the disadvantage in the comparison of JWT to session?

Additional Questions:

  • What is the recommended way to store JWT tokens on the client-side if I really need to (cookie)?

  • How does JWT handle token expiration and refreshment?

  • How does JWT ensure the integrity of the data it carries?

  • How does a server validate a JWT token?

References

Author: 🐱‍👤

Ninjarku
https://juejin.cn/post/7110044736848658445
https://dev.to/codeparrot/jwt-vs-session-authentication-1mol#:~:text=Choosing%20between%20JWT%20and%20session,authentication%20holds%20the%20upper%20hand.
https://blog.logrocket.com/jwt-authentication-best-practices/#:~:text=To%20reiterate%2C%20whatever%20you%20do,JWTs%20inside%20an%20HttpOnly%20cookie.
https://iq.opengenus.org/user-authentication-techniques-types/
https://www.forgebox.io/view/JWTSignEncrypt
https://www.scottbrady91.com/jose/json-web-encryption
https://www.freecodecamp.org/news/how-to-sign-and-validate-json-web-tokens/#:~:text=When%20your%20authentication%20server%20receives,incoming%20JWT%20can%20be%20trusted.
JWT authentication Process
SBA process
Example of a CSRF URL embedded in an <a> tag
JWE Using 5 headers instead of 3