Authentication, Authorization, and Credential Mechanisms: Cookies, Sessions, Tokens, and JWT
This article explains the fundamentals of authentication, authorization, and credentials, compares cookies, sessions, and token‑based approaches, discusses token and JWT structures, outlines common authentication patterns, and provides practical guidance on their use and pitfalls in distributed systems.
Authentication, Authorization, and Credentials
Authentication verifies a user's identity (e.g., password login, email link, SMS code), while authorization determines what actions an authenticated user may perform. Credentials are the media (e.g., ID cards, tokens) that prove identity.
Cookies and Sessions
HTTP is stateless, so servers use cookies or sessions to track users. Cookies are stored client‑side and sent with each request; they are domain‑bound and limited to ~4 KB. Sessions store state server‑side, with the session ID kept in a cookie. Session data can be shared via replication, sticky routing, or external stores such as Redis.
Token‑Based Authentication
Tokens (e.g., JWT) are issued after successful login and stored client‑side (often in localStorage). Each request includes the token in the Authorization: Bearer <token> header, allowing stateless verification without server‑side session storage.
Authorization: Bearer <token>JWT Overview
JWT consists of a header (algorithm), payload (claims such as user ID and expiration), and signature. It is self‑contained, enabling cross‑domain authentication without cookies. Validation involves recomputing the signature with the server’s secret key.
GET /calendar/v1/eventsJWTs can be transmitted via headers, request bodies, or query parameters (e.g., http://www.example.com/user?token=xxx ).
http://www.example.com/user?token=xxxCommon Authentication Methods
Session‑Cookie
Token verification (including JWT and SSO)
OAuth 2.0
Security Considerations
Cookies are vulnerable to tampering; use HttpOnly and limit size.
Sessions consume server memory; sharing across nodes requires external stores.
Tokens can be long and may expose data if stored insecurely; prefer short lifetimes and HTTPS.
JWTs are not encrypted by default; avoid placing sensitive data in payloads.
Distributed Session Sharing Strategies
Session replication across nodes.
Sticky sessions (IP‑hash routing).
External session stores (Redis, Memcached) for shared access.
Persisting sessions in databases for durability.
Practical Tips
Never store passwords in plain text; always hash with strong algorithms.
Use HTTPS to protect token transmission.
Implement token revocation via blacklists if needed.
Top Architect
Top Architect focuses on sharing practical architecture knowledge, covering enterprise, system, website, large‑scale distributed, and high‑availability architectures, plus architecture adjustments using internet technologies. We welcome idea‑driven, sharing‑oriented architects to exchange and learn together.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.