Session-Based Authentication

Table of Contents

Introduction

Session-based authentication is a method of authenticating users by creating a session on the server and storing the session ID in the client. The server then uses the session ID to identify the user across multiple requests.

This is different from token-based authentication, where the user provides a token (e.g., JWT) to the server and the server verifies the token.

How it works

The session is created when the user logs in. The session ID is stored in the client's browser. The server then uses the session ID to identify the user across multiple requests.

ClientServerPOST /sessions/protected-resource (request with cookie)responseVerify sessionCreate session in DBresponse with session idLogin / Sign in / Create sessionAccess to protected resourceSave sessionin cookie

When to use session-based auth

  • When security is a priority: Easy to invalidate sessions and force logouts when needed.
  • When you don't need to scale across multiple servers: Unless you use sticky sessions or a session store like Redis, scaling can be tricky.

Differences with token-based auth

I highly recommend to see this video from ByteByteGo to understand the differences.