Credentials, Cookie‑Session, and JWT: A Journey‑to‑the‑West Analogy for Authentication

Hello, I am Wukong.

In the classic novel Journey to the West , the monk Tang Xuanzang carries a passport ("通关文牒") to obtain stamps from each kingdom, allowing him to pass through.

Passport (通关文牒)

The passport is an official credential issued by the Tang dynasty, proving the holder’s diplomatic status. It is recognized by other kingdoms, similar to how a security token is trusted across services.

What Is a Credential?

A credential is a proof of identity that guarantees the parties’ intentions are authentic, complete, and non‑repudiable. The Tang emperor’s stamped passport is an early example of a credential.

In modern systems this maps to authentication/authorization tokens such as OAuth 2.0 and JWT.

Credential Storage Options

Cookie‑Session model

JWT scheme

Cookie‑Session Model

After a user logs in, the backend stores the user’s identity in a server‑side session and returns a sessionId to the client. The client includes this sessionId in subsequent HTTP requests via the Cookie header.

The server retrieves the session using the ID, extracts the user information, and processes the request.

Although HTTP is stateless, the Cookie‑Session approach introduces state on the server, enabling the server to identify the requester.

Advantages:

Server‑side state can be protected by same‑origin policy and TLS, preventing credential leakage.

Server can actively invalidate sessions (e.g., force logout).

Disadvantages:

Scaling horizontally requires session replication or a shared session store, which adds synchronization cost and complexity.

If a node crashes, its sessions are lost unless replicated.

JWT Scheme

To avoid server‑side state, the client stores all necessary information in a token and sends it with each request.

JWT (JSON Web Token) consists of three Base64‑encoded parts separated by dots: Header, Payload, and Signature.

{
  "alg": "HS256",
  "typ": "JWT"
}

The Header declares the token type and signing algorithm. The Payload carries claims (e.g., "sub", "name", "iat"). The Signature is computed as:

HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)

The signature guarantees the payload has not been tampered with, though it does not hide the data.

Advantages:

Stateless – no server‑side storage required.

Easy horizontal scaling.

Can be stored in LocalStorage, not limited to cookies.

Disadvantages:

Tokens cannot be revoked easily; they remain valid until expiration.

Higher risk of replay attacks if not combined with additional checks.

Potential leakage if stored insecurely on the client.

Size limits of HTTP headers may restrict token length.

Summary

In the analogy, Tang Xuanzang is the client, the passport is the JWT token, and each kingdom represents a microservice in a distributed system. Using JWT‑based authentication, the client can travel freely across services, just as the monk obtains the true scriptures.

Next article: hands‑on implementation of Spring Cloud Gateway + JWT authentication.