Using Session Cookies Vs. JWT for Authentication | Hacker Noon

June 8th 2020

Author profile picture

@shreyaghateShreya Ghate

Software Engineer at

HTTP is a stateless protocol and is used to transmit data. It enables the communication between the client side and the server side. It was originally established to build a connection between web browsers and web servers.

Let’s understand this with the help of an example:

Suppose we are shopping online, we add some items eg. headphone to our cart. Then we proceed to look for other items, during this time, we want the state of the cart items to be stored and not lost while performing any further tasks. This means that we want our states to be remembered during the entire shopping operation.

Since HTTP is a stateless protocol, to overcome this, we can use either session or tokens. This blog will help you understand the difference between both the authentication methods used for user authentication.

So let’s dive into the concepts of session (cookie) based and token based authentication, along with understanding the structure of the JSON Web Tokens i.e JWT.

Session-Based Authentication

Before the emergence of JSON Web Tokens, we predominantly used this type of authentication.

In this type of authentication method, the server is responsible for the authentication and the client does not know what happens at the server side after sending a request.

So what is session cookies?

The cookie created above is a session cookie: it is deleted when the client shuts down, because it didn’t specify an Expires or Max-Age directive. However, web browsers may use session restoring, which makes most session cookies permanent, as if the browser was never closed.

Let’s understand what happens typically when a user logs into any website on the web browser. For instance, the user logs in, the server will create a session for the user and store the session data in the server memory.

There is a session ID created which is stored in a cookie in the client’s browser while the user performs certain activity on the website. On every request that the user makes, a cookie is sent along with it.

The server can then verify the session data on the cookie with the session data stored in the server memory when the user logged in initially. When the user logs out from the website, that session data is deleted from the database and the server memory.

Token-Based Authentication

In token-based authentication, we use JWTs (JSON Web Tokens) for authentication. This is the widely used method for RESTful APIs.

Here, when the user sends a request for user authentication with the login details, the server creates an encrypted token in the form of JSON Web Token (JWT) and sends it back to the client. When the client receives a token, it means that the user is authenticated to perform any activity using the client.

The JWT is stored on the client side usually in localStorage and it is sent as an unique key of that user when the user requests any data from the server or is performing any activity for that website. So, when the request is received by the server, it validates the JWT for every request that it is that particular user only and then sends the required response back to the client.

This is how the header is sent along with every request to the server :

headers: {
"Authorization": "Bearer ${JWT_TOKEN}"

The user’s state is stored in the JWT on the client side. When the user logs out, the token is deleted from the Client side(localStorage). Thus, most of the data is stored in the client side and accessed directly instead of sending requests to the server.

JSON Web Tokens consists of three parts concatenated by dots (.):

  1. Header
  2. Payload
  3. Signature

JWT structure:


The output contains three Base64-URL strings separated by dots that can be easily passed in HTML and HTTP environments, while being more compact when compared to XML-based standards such as SAML.

JWT that has the previous header and payload encoded, and it is signed with a secret as shown in the following image.

Structure of a JWT :

Which one is better to use?

In modern web applications, JWTs are widely used as it scales better than that of a session-cookie based because tokens are stored on the client-side while the session uses the server memory to store user data, and this might be an issue when a large number of users are accessing the application at once. Since JWT is sent along with every request and contains all the user information, even though it is encoded, it is necessary to use the necessary information in JWT and sensitive information should be avoided or can be encrypted to prevent security attacks.

There is no fixed method to use at all times, it depends on the developer and the type of requirements to figure out which needs to be used for which scenario. For instance, OAuth uses a specific bearer-token and longer-lived refresh token to get bearer token. It is better to use a hybrid of both the types to create flexibility and robust application. 

I hope this article gives you a good understanding of the two widely used authentication types.

For any questions or suggestions, do comment. 😀


The Noonification banner

Subscribe to get your daily round-up of top tech stories!

read original article here