Session, Cookie, JWT, Token, SSO, and OAuth 2.0

Pranav Bakare - Sep 8 - - Dev Community

Image description

Here’s an overview of each authentication and session management mechanism, along with examples:

1. Session

  • Concept: A session is a temporary and server-side record of user activity and state. When a user logs in, the server stores user information (session data) and gives the user a session ID, usually stored in a cookie on the client-side.
  • Example: In a web app, when a user logs in, the server creates a session and assigns a session ID. The session ID is sent to the user via a cookie. On subsequent requests, the browser sends this session ID back to the server, allowing the server to recognize the user and provide the appropriate data.

Flow:

  1. User logs in.
  2. Server generates session data and stores it in memory or a database.
  3. Server sends a session ID (cookie) to the browser.
  4. Browser sends the session ID with each request, and the server validates it.

2. Cookie

  • Concept: A cookie is a small piece of data stored on the client’s browser. It is used to remember information across multiple requests (e.g., authentication session data, preferences). Cookies can be either "session cookies" (expire when the browser is closed) or "persistent cookies" (stored on the user's device until they expire or are deleted).
  • Example: After logging in, a web app stores a session ID in a cookie (Set-Cookie header), and this cookie is sent to the server with every request to keep the user logged in.
  Set-Cookie: session_id=abc123; HttpOnly; Secure
Enter fullscreen mode Exit fullscreen mode



  1. JWT (JSON Web Token)

  • Concept: JWT is a stateless, token-based authentication mechanism. Unlike session cookies, JWTs are not stored on the server. Instead, the client stores the token (usually in local storage or cookies) and sends it with each request. The server verifies the token to authenticate the user.
  • Example: When a user logs in, the server generates a JWT, encodes user data (claims), signs it, and sends it back to the client. The client sends the JWT in the Authorization header for subsequent requests.

Flow:

  1. User logs in.
  2. Server generates and signs a JWT, sends it to the client.
  3. Client stores the JWT in local storage or a cookie.
  4. Client sends the JWT with every API request: http Authorization: Bearer <token>
  5. Server validates the JWT (signature and claims).

4. Token

  • Concept: A token is a piece of data (usually generated on the server) that allows a client to authenticate requests without storing session data on the server. Tokens can be session-based, like access tokens (for short-term use) and refresh tokens (for long-term use).
  • Example: In OAuth, when a user logs in with an external provider (like Google), they get an access token, which they use to make authenticated API requests.

Flow:

  1. User requests access.
  2. Server generates a token and sends it back to the client.
  3. Client sends the token on each request for authentication.

5. SSO (Single Sign-On)

  • Concept: SSO allows a user to log in once and gain access to multiple services without needing to log in again for each service. It typically uses a central identity provider (IdP), like Google or Okta, to authenticate users.
  • Example: If you log into Google, you can access Gmail, YouTube, and Google Drive without logging in again, thanks to SSO.

Flow:

  1. User tries to access a service (e.g., Gmail).
  2. Gmail redirects the user to the Google identity provider (IdP).
  3. User logs into Google.
  4. Google returns a token to Gmail, granting access to the user.
  5. The user is authenticated and can access other services (YouTube, Google Drive) without logging in again.

6. OAuth

  • Concept: OAuth is an authorization protocol that allows third-party apps to access a user’s resources on another service without exposing the user's credentials. OAuth uses tokens for granting access.
  • Example: When you sign in to an application using "Login with Google," the app is using OAuth to request permission to access your Google account.

Flow:

  1. User initiates login via Google (OAuth provider).
  2. User is redirected to Google, where they log in.
  3. Google asks for permission to share user data with the requesting app.
  4. Upon approval, Google provides the app with an access token.
  5. The app uses the access token to request user information from Google's API.

Summary of Use Cases

  • Session: Traditional server-based authentication; good for small apps.
  • Cookie: Stores small pieces of data like sessions, preferences.
  • JWT: Stateless, token-based authentication; suitable for microservices or mobile apps.
  • Token: Used in API-based authentication like OAuth.
  • SSO: Log in once to access multiple services.
  • OAuth: Authorization for third-party access without sharing passwords.

These mechanisms are often used in combination based on the specific security requirements of the application.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .