Skip to main content
HashnodeWeb Dev Cohort 2026

Command Palette

Search for a command to run...

Sessions vs JWT vs Cookies.

Understanding Authentication Approacj

Updated
5 min read
Sessions vs JWT vs Cookies.
N
Nikhil Prashar

What sessions are .

Before seeing Session authentication, I hope that you already know why we need this. So basically, in each request we want to authenticate whether the user is valid or not.

  • Now look at session based authentication. In this authentication, what happens is that we store each user's session in the database and return that session to the user.

  • Let's see step by step how it works. First, the user logs in. At the time of login, we obviously validate the user's data. The second thing we do is create a session. You can also call it a unique ID. We store that unique ID in our database and return it to the user.

  • Now the session is stored in the database and the user also has it. Next time, whenever the user makes another request, they will send that session along with the request. First, we check that session in the database. If the user’s session matches the stored session in the database, then we resolve the request. Otherwise, we reject the request with an error.

So this is how session based authentication works.

What Cookies are .

  • Basically, cookies are used to store some application-related data in the user's browser. Whenever the user visits the application again, we can extract the required user-related information from those cookies. Because of this, we do not need to ask the user for the same data again and again.

  • Cookies can be of many types. For example, session cookies are used to store the user's session information. Another common use case is authentication. During login, we create a token and store that token inside the user's cookies.

  • Next time when the user comes back, we extract the data from the cookies, verify it, and then provide the requested service or display the user-related information.

So this is the basic overview of cookies.

What JWT tokens are .

  • In JSON Web Token (JWT), it is also a type of token that stores the user’s details inside the token itself. But unlike session based authentication, this token is not stored in the database. Instead, it is stored on the client side.

  • We have a secret key that is used to validate the token. Whenever the client makes another request, we extract the token from the request. Then we verify that token using the secret key and extract the data from it.

  • After that, we check that data in the database. If the user is found, then we provide the requested service to the user. Otherwise, we reject the request.

Stateful vs Stateless authentication .

Both type we discuss above now let's see one by one what is stateful and stateless and it's difference.

Stateful :-

  • Stateful authentication means the server stores the user's authentication data or session information. Because of this, the server always remembers the user state.

  • A common example of stateful authentication is session-based authentication. In this approach, when the user logs in, the server creates a session or unique ID, stores it in the database, and returns it to the user.

  • Next time, whenever the user makes a request, the session is sent along with the request. The server checks that session in the database. If the session matches, the request is resolved; otherwise, the request is rejected.

  • So in stateful authentication, the server stores and manages the authentication state.

Stateless :-

  • Stateless authentication means the server does not store the user's authentication state or token in the database.

  • A common example of stateless authentication is JWT authentication. In this approach, when the user logs in, a token is created that contains the user’s details. This token is stored on the client side instead of the server or database.

  • So in stateless authentication, the server does not store authentication state because all the required information is carried inside the token itself.

Difference between session-based auth and JWT .

The main difference between these two is that JWT authentication is faster and more scalable. It is fast because on every request we do not always need to make a database call to check the session. We only need to verify the token, extract the data from it, and attach that user data to the request.

In session based authentication, every request makes a database call to check the stored session. Because of this, too many database calls can happen.

Now assume the number of users increases, and all of them send requests at the same point in time. In that case, the number of database calls will also increase, which can affect performance and increase server load.

That is why JWT authentication is generally considered faster and better for handling large-scale applications.

When to use each method .

When to use Stateful Authentication.

  • Stateful authentication is mostly used when you want full control over user sessions. Because user session store in database and we have a database access to change anything, means if user doing any mis behave we can block it easier or destroy user session at any time. Example use in :-

  • Banking Application.

  • Admin Panels

When to use Stateless Authentication.

  • Stateless authentication is mostly used in modern applications where scalability and performance are important. Since the server does not store sessions, it reduces database load and handles large numbers of requests more efficiently.

  • As above we discuss, use JWT for this type of authentication.

💡
So with my above explanation i hope you understand what i learn and what's my thought process on Sessions vs JWT vs Cookies .
#javascript#backend#full-stack#coding

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

W

Web Dev Cohort 2026

54 posts