Social Widget

Responsive Ads Here

Monday, December 9, 2019

Session vs Token-Based Authentication

The authentication system is one that allows a user to access a resource only after supplied credentials are compared with that stored in the database and found to be the same. Authentication can either be Session-based or Token-based.

Difference between Authentication and Authorization

Authentication is about validating your credentials like User Name/User ID and password to verify your identity. The system determines whether you are what you say you are using your credentials. In public and private networks, the system authenticates the user identity via login passwords. Authentication is usually done by a username and password, and sometimes in conjunction with factors of authentication, which refers to the various ways to be authenticated.
Authorization, on the other hand, occurs after your identity is successfully authenticated by the system, which ultimately gives you full permission to access the resources such as information, files, databases, funds, locations, almost anything. In simple terms, authorization determines your ability to access the system and up to what extent.

session-based authentication

Session-based authentication is one in which the user state is stored on the server’s memory. When using a session-based auth system, the server creates and stores the session data in the server memory when the user logs in and then stores the session id in a cookie on the user browser.
The session Id is then sent on subsequent requests to the server and the server compares it with the stored session data and proceeds to process the requested action.

working of session-based authentication

token-based authentication

Token-based authentication is one in which the user state is stored on the client. This has grown to be the preferred mode of authentication for RESTful APIs. In the token-based authentication, the user data is encrypted into a JWT (JSON Web Token) with a secret and then sent back to the client.
The JWT is then stored on the client-side mostly localStorage and sent as a header for every subsequent request. The server receives and validates the JWT before proceeding to send a response to the client.
"Authorization": "Bearer ${JWT_TOKEN}"


When to use?

There really isn’t a preferred method for authentication, both methods can be used interchangeably or together to create a hybrid system. It all boils down to the developer and the use case.
However, it is worth noting that token-based authentication scales better than that of a session because tokens are stored on the client-side while the session makes use of the server memory so it might become an issue when there is a large number of users using the system at once.

#Authentication #token-based-authentication #session-based-authentication

No comments:

Post a Comment