Understanding Authentication, Authorization, Credentials, Cookies, Sessions, Tokens and JWT

What is Authentication

Authentication is the process of verifying a user's identity, confirming that "you are you" (e.g., fingerprint check for clock‑in).

Username/password login

Email login link

SMS verification code

Receiving the code proves ownership of the account

What is Authorization

Authorization grants third‑party applications permission to access specific user resources, such as app permissions for photos or location.

Implemented via cookie, session, token, OAuth, etc.

What are Credentials

Credentials are the medium (certificate) that marks a visitor's identity, similar to a physical ID card or historical "照身帖".

In web apps, a successful login returns a token (e.g., JWT) that identifies the user for subsequent requests.

What is a Cookie

Because HTTP is stateless, cookies store a small piece of data on the client to link successive requests.

Name=Value : key‑value pair, must be a string (Unicode must be encoded, binary must be Base64).

Domain : the domain the cookie belongs to (default current domain).

Path : the route where the cookie is sent. Example: /abc makes the cookie available only under /abc and its sub‑paths such as /abc/read .

maxAge : lifetime in seconds; negative means a session cookie, 0 deletes the cookie.

expires : absolute expiration time.

secure : sent only over HTTPS when true.

httpOnly : inaccessible to JavaScript, mitigating XSS.

What is a Session

A session records server‑side state; the session ID is stored in a cookie on the client.

User makes the first request; server creates a session.

Server returns the unique SessionID to the browser.

Browser stores the SessionID in a cookie.

Subsequent requests include the cookie; server retrieves the session using the SessionID.

Cookie vs Session

Security: Session (server‑side) is more secure than Cookie (client‑side).

Data type: Cookie stores only strings; Session can store any type.

Lifetime: Cookies can be long‑lived; Sessions usually expire quickly or when the browser closes.

Size: Cookie limited to ~4KB; Session can hold much larger data.

What is a Token

A token (access token) is the credential required to call protected APIs.

Simple token structure: uid|timestamp|sign .

Features: stateless server, good scalability, mobile‑friendly, secure, cross‑program usable.

Token Authentication Flow

Client sends username/password.

Server validates credentials.

Server issues a token and returns it.

Client stores the token (e.g., in a cookie or localStorage).

Each subsequent request includes the token, usually in the Authorization: Bearer <token> header.

Server validates the token; if valid, the request proceeds.

Refresh Token

A refresh token is used to obtain a new access token without re‑entering credentials.

What is JWT (JSON Web Token)

JWT is a popular cross‑domain authentication solution that carries signed claims.

Can be signed with HMAC or RSA keys.

Self‑contained: includes user information, reducing database lookups.

Generating a JWT

Use tools such as jwt.io or jsonwebtoken.io .

JWT Usage

Store JWT in a cookie or localStorage.

Send it in the Authorization: Bearer <token> header for protected routes.

Server validates the signature; no session state is needed.

<code>GET /calendar/v1/events
Host: api.example.com
Authorization: Bearer &lt;token&gt;</code>

Common Authentication Methods

Session‑Cookie

Token verification (including JWT, SSO)

OAuth 2.0

Common Security Considerations

Never store passwords in plain text; always hash them.

Avoid weak hash algorithms (e.g., MD5, SHA1); use strong password‑hashing functions.

Transmit credentials over HTTPS only.

When using JWT, keep the expiration short and consider revocation strategies.