Session, Cookie, JWT, Token, SSO, and OAuth 2.0

Pranav Bakare - Sep 8 - - Dev Community

Image description

Here’s an overview of each authentication and session management mechanism, along with examples:

1. Session

  • Concept: A session is a temporary and server-side record of user activity and state. When a user logs in, the server stores user information (session data) and gives the user a session ID, usually stored in a cookie on the client-side.
  • Example: In a web app, when a user logs in, the server creates a session and assigns a session ID. The session ID is sent to the user via a cookie. On subsequent requests, the browser sends this session ID back to the server, allowing the server to recognize the user and provide the appropriate data.

Flow:

  1. User logs in.
  2. Server generates session data and stores it in memory or a database.
  3. Server sends a session ID (cookie) to the browser.
  4. Browser sends the session ID with each request, and the server validates it.

2. Cookie

  • Concept: A cookie is a small piece of data stored on the client’s browser. It is used to remember information across multiple requests (e.g., authentication session data, preferences). Cookies can be either "session cookies" (expire when the browser is closed) or "persistent cookies" (stored on the user's device until they expire or are deleted).
  • Example: After logging in, a web app stores a session ID in a cookie (Set-Cookie header), and this cookie is sent to the server with every request to keep the user logged in. 
  Set-Cookie: session_id=abc123; HttpOnly; Secure
Enter fullscreen mode Exit fullscreen mode

3. JWT (JSON Web Token)

  • Concept: JWT is a stateless, token-based authentication mechanism. Unlike session cookies, JWTs are not stored on the server. Instead, the client stores the token (usually in local storage or cookies) and sends it with each request. The server verifies the token to authenticate the user.
  • Example: When a user logs in, the server generates a JWT, encodes user data (claims), signs it, and sends it back to the client. The client sends the JWT in the Authorization header for subsequent requests.

Flow:

  1. User logs in.
  2. Server generates and signs a JWT, sends it to the client.
  3. Client stores the JWT in local storage or a cookie.

  4. Client sends the JWT with every API request:

     Authorization: Bearer <token>

  5. Server validates the JWT (signature and claims).

4. Token

  • Concept: A token is a piece of data (usually generated on the server) that allows a client to authenticate requests without storing session data on the server. Tokens can be session-based, like access tokens (for short-term use) and refresh tokens (for long-term use).
  • Example: In OAuth, when a user logs in with an external provider (like Google), they get an access token, which they use to make authenticated API requests.

Flow:

  1. User requests access.
  2. Server generates a token and sends it back to the client.
  3. Client sends the token on each request for authentication.

5. SSO (Single Sign-On)

  • Concept: SSO allows a user to log in once and gain access to multiple services without needing to log in again for each service. It typically uses a central identity provider (IdP), like Google or Okta, to authenticate users.
  • Example: If you log into Google, you can access Gmail, YouTube, and Google Drive without logging in again, thanks to SSO.

Flow:

  1. User tries to access a service (e.g., Gmail).
  2. Gmail redirects the user to the Google identity provider (IdP).
  3. User logs into Google.
  4. Google returns a token to Gmail, granting access to the user.
  5. The user is authenticated and can access other services (YouTube, Google Drive) without logging in again.

6. OAuth

  • Concept: OAuth is an authorization protocol that allows third-party apps to access a user’s resources on another service without exposing the user's credentials. OAuth uses tokens for granting access.
  • Example: When you sign in to an application using "Login with Google," the app is using OAuth to request permission to access your Google account.

Flow:

  1. User initiates login via Google (OAuth provider).
  2. User is redirected to Google, where they log in.
  3. Google asks for permission to share user data with the requesting app.
  4. Upon approval, Google provides the app with an access token.
  5. The app uses the access token to request user information from Google's API.

Summary of Use Cases

  • Session: Traditional server-based authentication; good for small apps.
  • Cookie: Stores small pieces of data like sessions, preferences.
  • JWT: Stateless, token-based authentication; suitable for microservices or mobile apps.
  • Token: Used in API-based authentication like OAuth.
  • SSO: Log in once to access multiple services.
  • OAuth: Authorization for third-party access without sharing passwords.

These mechanisms are often used in combination based on the specific security requirements of the application.

Image
The Secret to Smooth Animations in JavaScript!

webdev, javascript, beginners, tutorial
Image
Types of DNS attacks
Image
Event Loop Explained

javascript, webdev, frontend, interview
Image
Model Merging: Combining LLMs and MLLMs for Powerful, Accessible AI
Image
Effective Tools for Tech Enthusiasts in 2024: Technologies You Must Be Using
Image
Upload Docker Images to GitHub: A Simple Guide with GitHub Actions
Image
Something could double the development efficiency of Java programmers
Image
Revolutionizing Exhibition Hall Design: How Wings Engine Transforms Modern Exhibitions
Image
Enjoy Enterprise-Level Security for Free with SafeLine Community Edition
Image
Boost Your SEO with One Line of HTML
Image
Unlock Your Coding Potential with These AI-Powered Tools
Image
Embracing AI in Content Creation: Making It Sound Human
Image
GBase 8a MPP Cluster FTP File Server Configuration Guide
Image
Time Management for Developers: Balancing Code and Life
Image
What happens when a user tries to access a resource in AWS ?
Image
Introductions to ML
Image
LabEx Trending: Creating Product Information Table and More 🌟
Image
How to Do DORA Metrics Right
Image
ت
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Terabox Video Player