search

JWT vs Session Based Authentication

hashtag
JWT vs. Session Based Authentication (SBA)

hashtag
JWT

  • Stateless - server don't need to keep record of the token

hashtag
SBA

  • Stateful - Sessions are stored server-side for PROPER SBAs

JWT authentication Process
SBA process

hashtag
Advantages of JWT

hashtag
Scalability:

  • Due to their stateless nature, JWTs are ideal for distributed systems.

hashtag
Flexibility:

  • They can be used across different domains and applications.

hashtag
Security:

  • When properly implemented, they provide a secure way to handle user authentication.

  • Implement short-lived JWTs and use refresh tokens for renewing access without re-authentications

hashtag
Disadvantage of JWT

hashtag
Transmission Security:

  • MUST transmit JWTs over HTTPS

  • Else it can be sniffed/stolen and abused

hashtag
Storage:

  • Storage of JWTs are entirely on client side, thus it is important to store them securely to prevent XSS attacks and other vulnerabilities

hashtag
Unpredictability:

  • It does not have revocation efficiency

  • If a valid JWT token stolen during its validity period, it can be used for authentication without the user's knowledge even if the user has logged out

  • To prevent this, additional processing logic at the backend has to be used, this leads to more overhead and partially defeats the purpose of using JWT, when the goal was to be stateless to begin with

hashtag
Advantages of SBA

hashtag
Simplicity and Reliability:

  • The server's session record acts as a centralized truth source, making it straightforward to manage user sessions.

hashtag
Revocation Efficiency:

  • Access can be quickly revoked by deleting or invalidating the session record, ensuring up-to-date session validity.

hashtag
Disadvantages of SBA

hashtag
Performance Issues (High Latency) at Scale in Dynamic Environments:

  • The dependency on database interactions for every session validation can introduce latency, especially for high-traffic applications.

  • In applications with dynamic clients, this latency can impact user experience, making session-based authentication less ideal in such scenarios.

hashtag
Why is JWT good?

  • Cross Site Request Forgery (CSRF) uses cookies to direct forged attacks towards a target, if the user has a cookie that is stored on the browser, this attack vector will be able to abuse the cookie to accomplish their malicious actions

Example of a CSRF URL embedded in an <a> tag

  • As JWT does not use cookies, it negates CSRF attacks

hashtag
What to do in the process of choosing the type for a server setting?

Python choose if else to determine your needs XD

hashtag
Long story(code) short:

If you need stateless, scalable, and/or more security then choose JWT

If you want efficient immediate control, choose SBA

hashtag
Want MORE security?

  • Meet JSON Web Encryption (JWE)

  • It is the encrypted form of JWT, using 5 header sections instead of 3

JWE Using 5 headers instead of 3

  • It is significantly considered harder to decrypt compared JWT, providing more security for end users (Disclaimer: This still DOES NOT mean you should store sensitive information in the JWE)

  • More about JWE

    • https://www.forgebox.io/view/JWTSignEncrypt

    • https://www.scottbrady91.com/jose/json-web-encryption

hashtag
Interview questions:

  • What is the difference between JWT and session based authentication?

  • What is the advantage and what's the disadvantage in the comparison of JWT to session?

Additional Questions:

  • What is the recommended way to store JWT tokens on the client-side if I really need to (cookie)?

  • How does JWT handle token expiration and refreshment?

  • How does JWT ensure the integrity of the data it carries?

  • How does a server validate a JWT token?

hashtag
Author: Ninjarkuarrow-up-right🐱‍👤

hashtag
References

PreviousJWTNextJWT Challenge

Last updated