Understanding Authentication, Authorization, Cookies, Sessions, Tokens and JWT

What is Authentication

Authentication is the process of verifying a user's identity, e.g., matching a fingerprint to a stored template.

What is Authorization

Authorization grants a third‑party application permission to access specific user resources, implemented via cookies, sessions, tokens, OAuth, etc.

What are Credentials

Credentials are the medium (e.g., ID cards, tokens) that prove identity in both real life and web applications; after login a server issues a token that the client presents on subsequent requests.

What is a Cookie

Cookies are small pieces of data stored on the client, sent with each request to the same domain, used for session tracking; they are domain‑bound and cannot be shared across unrelated domains.

What is a Session

Sessions store state on the server; the server creates a Session, returns a SessionID, which the client stores in a cookie and sends back on later requests.

Difference between Cookie and Session

Security: Sessions are server‑side, Cookies client‑side.

Data type: Cookies store strings only; Sessions can store any type.

Lifetime: Cookies can persist long; Sessions usually expire when the browser closes or after a timeout.

Size: Cookies limited to ~4 KB; Sessions can hold much more data.

What is a Token

Tokens are credentials for accessing APIs; a simple token contains uid, timestamp, and a signature. Tokens enable stateless, scalable authentication and are often placed in HTTP headers.

Access Token Flow

Client logs in with username/password.

Server validates credentials and issues a token.

Client stores the token (e.g., in a cookie or localStorage).

Client includes the token in the Authorization header for each request.

Server validates the token and returns the requested data.

Authorization: Bearer <token>

Refresh Token

A refresh token is used to obtain a new access token without re‑entering credentials.

Token vs Session

Sessions keep state on the server; tokens are self‑contained credentials that make the server stateless. Tokens are generally more secure for API access, while sessions are simpler for traditional web sites.

What is JWT

JSON Web Token (JWT) is a popular stateless authentication mechanism that carries claims in a signed JSON object.

JWT Generation

Tools: jwt.io , jsonwebtoken.io

JWT Principle

After successful login the server returns a JWT; the client stores it (cookie or localStorage) and sends it in the Authorization header as “Bearer <token>”. The server validates the signature without needing a database lookup.

Using JWT

Clients can place the JWT in cookies, Authorization header, POST body, or URL query string.

GET /calendar/v1/events
Host: api.example.com
Authorization: Bearer <token>

Common Front‑Back Authentication Methods

Session‑Cookie

Token verification (including JWT, SSO)

OAuth 2.0

Common Encryption Algorithms

Hash algorithms (MD5, SHA‑1, SHA‑256, etc.) provide data fingerprints; they are fast, one‑way, and resistant to collisions. For security, use strong hash functions and combine with RSA or HMAC for signatures.

Considerations When Using Cookies, Sessions, Tokens, JWT

Cookies can be tampered, should be httpOnly and limited in size.

Sessions consume server memory and need sharing mechanisms in clustered environments.

Tokens avoid CSRF and same‑origin restrictions but require secure storage.

JWTs are stateless, cross‑origin friendly, but must be short‑lived and transmitted over HTTPS.

Distributed Session Sharing Solutions

Session replication across nodes.

Sticky sessions (IP hash).

Shared cache (Redis, Memcached).

Persistent storage in a database.

Each approach has trade‑offs between simplicity, fault tolerance, and performance.