Why Sessions Burden Servers and How Token‑Based Authentication Solves It

History

1. In the early days the web was just document browsing; the server did not need to track who viewed what, each request was a fresh HTTP transaction.

2. With interactive web applications such as online shopping, login became necessary, creating a session problem. A random session ID (a string) is issued to each client and sent with every request so the server can distinguish users.

3. Storing all session IDs on the server becomes a heavy load, especially when scaling to many machines. Issues like session stickiness, replication, and single‑point‑of‑failure arise.

4. To avoid storing sessions, the client can keep the data, but the server must verify its authenticity. Using HMAC‑SHA256 with a secret key to sign the data creates a tamper‑proof token.

The server does not store the token; it recomputes the HMAC on each request and compares it with the signature. If they match, the user is authenticated.

Tokens keep data in plain text (often Base64‑encoded), so sensitive information like passwords should not be stored inside.

Removing session storage makes the system stateless, allowing easy horizontal scaling.

Cookie

A cookie is a piece of data stored permanently in the browser; the server generates it and the browser sends it back with subsequent requests. Browsers limit the number and size of cookies per domain.

Session

A session is temporary server‑side storage of user information, typically identified by a cookie. Sessions are more secure than raw cookies but do not work well with load‑balanced servers because the session data may reside on a different node.

Token

Token‑based authentication is stateless and scalable, widely used in web APIs (e.g., Facebook, Twitter, GitHub). Its key advantages are:

Stateless and scalable

Supports mobile devices

Enables cross‑program calls

Improves security

Origins of Token Authentication

Traditional server‑side authentication stores session data, leading to memory overhead, scalability problems, CORS complications, and CSRF risks.

Token authentication eliminates server‑side storage; each request carries a signed token, typically sent in an HTTP header.

Token Authentication Process

User sends username and password.

Server validates the credentials.

Server returns a signed token to the client.

Client stores the token and includes it in subsequent requests.

Server verifies the token and returns the requested data.

Advantages of Tokens

Statelessness allows load balancers to route any request to any server. Sending the token instead of a cookie mitigates CSRF attacks. Tokens can have expiration and revocation mechanisms, and can be scoped to grant limited permissions to third‑party applications.

Standards

JSON Web Tokens (JWT) are the de‑facto standard for creating and verifying tokens.

Source: https://www.cnblogs.com/moyand/p/9047978.html