Understanding Authentication, Authorization, Credentials, Cookies, Sessions, Tokens, and JWT

What is Authentication

Authentication verifies a user's identity, proving "you are yourself" (e.g., fingerprint check for clock‑in). Common web methods include username/password, email login links, SMS verification codes, and any mechanism that confirms the account owner.

What is Authorization

Authorization grants third‑party applications permission to access specific user resources, such as app permissions for photos or location, or WeChat mini‑program permissions for personal info.

Implementation methods include cookies, sessions, tokens, and OAuth.

What are Credentials

Credentials are the medium (e.g., ID cards, certificates) that identify a user and enable authentication and authorization.

What is a Cookie

Cookies are small data pieces stored on the client, sent with each request to the same server, enabling the server to recognize the client across stateless HTTP requests. Cookies are domain‑bound and cannot be shared across different domains.

What is a Session

Sessions store state on the server; a SessionID is placed in a client‑side cookie to link requests to the server‑side session data. The session lifecycle includes creation, returning SessionID, client storing it in a cookie, and subsequent requests using that ID to prove login status.

Cookie vs. Session Differences

Security: Sessions are server‑side and more secure; cookies reside on the client.

Data type: Cookies store strings only; sessions can store any data type.

Expiration: Cookies can persist long‑term; sessions typically expire quickly or on browser close.

Size: Cookies limited to ~4KB; sessions can hold larger data but consume server resources.

What is a Token

Tokens (access tokens) are credentials used to access protected APIs. Simple tokens contain uid, timestamp, and a signature. They enable stateless, scalable, secure authentication, support mobile devices, and allow cross‑program calls.

Token authentication flow: client logs in with username/password, server validates, issues a token, client stores it (cookie or localStorage), and includes it in the Authorization header for each request.

Refresh Token

Refresh tokens are used to obtain new access tokens without re‑entering credentials, reducing user friction. They are stored server‑side and only consulted when issuing a new access token.

Token vs. Session

Tokens enable stateless server authentication; sessions require server‑side state.

Tokens can be self‑contained (e.g., JWT) and avoid database lookups.

What is JWT

JSON Web Token (JWT) is a popular, self‑contained token format that carries claims about a user. It can be signed with HMAC or RSA, providing integrity and authenticity.

JWT authentication flow: user logs in, server returns a JWT, client stores it (often in localStorage), and includes it as Authorization: Bearer <jwt> in protected requests.

JWT advantages: stateless, reduces DB queries, works across domains, and can be encrypted if needed. Drawbacks include inability to revoke a token before expiration and the need to keep the token short‑lived.

Common Authentication Methods

Session‑Cookie

Token validation (including JWT, SSO)

OAuth 2.0

Common Cryptographic Algorithms

Hash algorithms (e.g., MD5, SHA‑1, SHA‑256) create fixed‑size fingerprints for data integrity verification. Strong hash functions are essential for password storage; weak hashes should never be used.

Considerations When Using Cookies, Sessions, Tokens, and JWT

Cookies can be tampered; validate and avoid storing sensitive data.

Sessions consume server memory; need cleanup and sharing strategies in clustered environments.

Tokens may be stored in memory stores like Redis for fast lookup.

JWTs are not encrypted by default; avoid placing secret data inside unless encrypted, and use HTTPS.

Distributed Session Sharing Solutions

Session replication across nodes (broadcast changes).

Sticky sessions/IP binding via load balancer (e.g., Nginx ip_hash).

Shared session stores using distributed caches like Redis or Memcached.

Persisting sessions in databases for durability.