Skip to content

Instantly share code, notes, and snippets.

@halitbatur

halitbatur/jwtAndCookies.md

Created June 2, 2022 09:11
Show Gist options
  • Save halitbatur/d93379acad5d3dca19fc866ba7e19cb4 to your computer and use it in GitHub Desktop.
Save halitbatur/d93379acad5d3dca19fc866ba7e19cb4 to your computer and use it in GitHub Desktop.
Download ZIP
cookies vs jwt for auth
Raw
jwtAndCookies.md

Using session Cookie VS. JWT for Authentications

write your answers in the comments below:

  • Can you explain the steps that take place when a user signs in to a website?

  • Where are each of session/cookie and JWT data stored?

  • Which technology is stateful and which is stateless and what is the different between both?

  • What are the advantages and disadvantages of each of them in your opinion?

  • Overall which one would you prefer to use and why?

@awiednoor
Copy link

Noor Awied, Huzeyfe AbdullahOglu, Israa Qaba

Can you explain the steps that take place when a user signs in to a website?

  A user reaches a login page on a website they have previously created an account with.
  The user information request is sent 
  The user provides their unique ID and key to verify their identity.
  The login credentials are compared against the originals stored in the website’s server.
  If they match, the user is authenticated and provided access to their account.

Where are each of session/cookie and JWT data stored?
Session is stored in server memory
Jwt is stored in the browser with a secret key

Which technology is stateful and which is stateless and what is the different between both?
Stateful: session
​​​​After successful authentication, the application generates a random token to send back to the client then creates a client authenticated session in memory or an internal database
Stateless: JWT
After successful authentication, the application generates token with all necessary data, signs it with a public key and sends it back to a client. There is a standard for token generation, it is JWT (JSON Web Token). The process described in OpenID Connect (OIDC) specification

What are the advantages and disadvantages of each of them in your opinion?
Cookies
Jwt is better in terms of scaling , because session can cause problems when lots of users are accessing the server at once since they are stored in the server memory
Security:
Jwt can be decoded even though they are semi-secure and no sensitive information should be included in them.

Overall which one would you prefer to use and why?

Session cookies take up very little bandwidth, whereas the bandwidth consumption will be higher in the JWT-based approach however, jwt is stateless and are not restricted to present session-like information about the authenticated user itself

resource:
https://hackernoon.com/using-session-cookies-vs-jwt-for-authentication-sd2v3vci
https://www.openidentityplatform.org/blog/stateless-vs-stateful-authentication
https://stackoverflow.com/questions/27666810/json-web-token-jwt-advantages-disadvantages-over-cookies

@khaldarov
Copy link

khaldarov commented Jun 2, 2022
edited
Loading

Sara Hamoud, Adnan Khaldar, Yaman Rajab

Can you explain the steps that take place when a user signs in to a website.

  • The users enters their credentials (information) on the website’s login form.
  • The credentials is then sent to the authentication server with hashing the password section.
  • In case credentials matches the pair registered (the username and the password) the system will authenticate the users and grant them access to their accounts.
  • In case of no match, the users will get an error message or prompt, asking them to check their info and try again.

Where are each of session/cookie and JWT data stored?

  • Session’s cookies are stored in the client side containing session ID, and the session, itself, is stored on the server side.
  • JSON Web Tokens are stored in the client side.

Which technology is stateful and which is stateless, and what is the difference between both?

HTTP, DNS, and UDP use stateless protocol.

  • does not require the server to retain the server information or session details,
  • there is no tight dependency between server and client,
  • are easy to implement in Internet.

FTP (File Transfer Protocol), and Telnet use stateful protocol.

  • requires server to save the status and session information.
  • there is tight dependency between server and client
  • are logically heavy to implement in Internet.

What are the advantages and disadvantages of each of them in your opinion?

Stateless:

Advantages:

  • Does not require the server to retain information about the state.
  • Server design, implementation and architecture is simple.
  • Handles crashes well, as we can fail over to a completely new server, and servers are regarded cheap commodity machines
  • Scaling architecture is easy.

Disadvantages:

  • They may decrease network performance by increasing the repetitive data sent in a series of requests.

Stateful :

Advantages:

  • Stateful Protocols provide better performance to the client by keeping track of the connection information.

Disadvantages

  • Requires server to save information about a session.
  • Server design, implementation and architecture is complicated.
  • Does not handle crashes well.
  • Servers are considered pricey but long living.
  • The user would probably be logged out and have to start from the beginning.
  • Scaling architecture is difficult and complex.

Overall which one would you prefer to use and why?

Regarding the advantages of stateless and the disadvantages of stateful protocol, I would choose the stateless protocol.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment