Understanding Tokens, Sessions, Cookies, JWT, and OAuth2: A Complete Guide

Token, Session, Cookie, JWT, OAuth2: Finally Got It!

As a developer you encounter these terms daily; this article explains them in plain language.

Life‑scene analogy

Imagine a gym where different items represent authentication mechanisms.

Cookie is like your membership card that the gym gives you; each visit it identifies you.

Session is the gym’s logbook that records recent visits and purchased classes.

Token is a one‑time wristband that lets you enter freely on the day it was issued.

JWT is a specially designed anti‑counterfeit wristband that prints your member information and permissions.

OAuth2 is the authorization protocol that allows other gyms (third‑party services) to use your membership.

Cookie: Your web ID card

Cookie is a small piece of data the server sends to the browser, stored client‑side and automatically sent with every request.

Stored in the browser

Sent automatically with each request

Size limit ~4 KB

Can have an expiration time

Example:
You tell a coffee shop you like latte, the barista writes it down and gives you a card (Cookie).
Next visit you show the card and get a latte automatically.

Cookies are insecure because they can be stolen or tampered with.

Session: Server’s notebook

Session stores user state on the server; the browser only receives a Session ID, usually via a Cookie.

Workflow:

Browser logs in

Server creates a Session with user data

Server sends Session ID to browser

Browser includes Session ID in subsequent requests

Server retrieves the Session using the ID

Continuation of coffee shop example:
The barista gives you a number tag (Session ID) and records “#123: likes latte” in a notebook.
You show the tag, the barista looks it up and knows what you want.

Sessions increase server memory load because each user’s data is stored.

Token: Access credential

A token is a string that contains all necessary information, so the server does not need to keep state.

The most popular token standard is JWT.

JWT: Self‑contained token

JWT (JSON Web Token) is an open standard for securely transmitting information as a compact, self‑contained string.

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

JWT consists of three parts:

Header – type and signing algorithm

Payload – data such as user ID and permissions

Signature – protects against tampering

Advantages: no server‑side session storage, good scalability. Note: once issued it cannot be revoked until expiration, so short lifetimes are recommended.

OAuth2: Authorization framework

OAuth2 is an authorization framework that lets third‑party applications access your resources without exposing your password.

Typical scenarios: “Log in with WeChat”, “Allow an app to access your GitHub repos”, “Grant an app read access to your Google contacts”.

OAuth2 defines four grant types; the most common is the Authorization Code flow:

App requests authorization from the authorization server

User consents

App receives an authorization code

App exchanges the code for an access token

App uses the access token to call protected APIs

The resulting access token can be a JWT.

Summary

Cookie : small client‑side data sent with each request.

Session : server‑side state identified by a Session ID.

Token : stateless credential.

JWT : self‑contained token format.

OAuth2 : framework for third‑party authorization.

How to choose

Simple internal systems – use Session/Cookie.

Front‑end/back‑end separation or mobile apps – use JWT.

Third‑party login/authorization – use OAuth2.

Understanding these concepts helps you pick the right solution for your scenario.