Difference between JWTs (JSON Web Token) and Session Based Authentication? When to use?

Difference between Session-Based Authentication vs JWTs (Json Web Toekn) and when to use them

javinpaul

and

Soma

Jan 03, 2025

Difference between Session-Based Authentication vs JWTs (Json Web Toekn)? — credit — ByteByteGo

Hello guys, Happy New Year 2025 !!

I hope you all have made your goals or in the process of making goals. If one of your goal is to learn System Design, Java, or Crack Coding interview then I can help

In the past, I have talked about common system design questions like API Gateway vs Load Balancer and Horizontal vs Vertical Scaling, Forward proxy vs reverse proxy as well common System Design problems and in this article we will explore the difference between JWT and Session based authentication.

It's also one of the essential System design topics for interview and you must prepare it well.

Authentication and authorization are two key concepts which is used in all kind of applications and having good knowledge of them help you a lot, especially on interviews.

On this topic, one of the popular question is what is the difference between Session based authentication vs JSON Web Token or JWT?

This question is commonly asked to both beginners and experienced developers, especially if you have mentioned JWT in your resume.

While interviewers typically don’t expect a flawless answer (unless you’re applying for an API Security Engineer role), demonstrating a basic understanding of these concepts can significantly boost your chances.

In this article, I will explain the key differences between session-based authentication and JWT-based authentication and provide tips to help you ace this question.

Though, if you are learning these concepts as part of interview prep then I also suggest you check out sites like ByteByteGo, Design Guru, Exponent, Educative, Codemia.io, InterviewReddy.io and Udemy which have many great System design courses

`New Year Offer`

I would like you to thank you for reading Javarevisited in 2024. We are now 35K strong which is a really big achievement and it wasn’t possible without your support. As a token of our appreciation, and Christmas Day we're offering you a limited-time offer of 35% off a paid subscription.

Instead of paying ~~50$ / year~~, you pay 32.5$ / year (only 3$ / month)!

Get 35% off forever

Here are the benefits you unlock with a paid subscription:

Get access to paid subscribers posts. 📗
Access to Full archive of more than 115+ posts 🏆

Many expense it with their team's learning budget

Get 35% off forever

Session-Based Authentication

Session-based authentication works by storing session information on the server side and providing the user with a session ID to authenticate requests.

Think of it like a flight ticket: the user holds a ticket ID while the airline retains all relevant details in its database.

How Session-Based Authentication Works

The user logs in, and the frontend sends the credentials to the backend server.
The backend creates a session using a secret key and stores the session data in a database or session store.
The server sends a cookie containing the unique session ID to the user’s browser.
For subsequent requests, the browser includes the session ID in the headers.
The server validates the session ID and grants access.

Here is how it Session based authentication works in real world:

Session-Based Authentication Advantages

Here are the key advantages of using Session based authentication in your project:

Easy to invalidate: Simply remove the session from the session store.
Centralized session management, making it easier to track and control user sessions.

Session-Based Authentication Disadvantages

Nothing comes free and session based authentication is also not a magic, it has its own share of drawbacks, like

Scalability issues: Session storage can become a bottleneck as the number of users grows.
Dependency on the server to maintain session states.

Now, let’s see how JWT based authentication works and what it offers in comparison of Session based authentication.

JWT-Based Authentication

JWT (JSON Web Token) authentication operates differently. Here, the session information is embedded directly into the token, which is signed and shared with the user.

It’s like a flight ticket that contains all your travel details, securely encoded.

How JWT Works?

The user logs in, and the backend verifies the credentials.
The server issues a JWT, which is signed using a private key. No session storage is required.
The JWT is sent to the user’s browser (typically via a cookie).
For each subsequent request, the browser sends the JWT with the headers.
The server validates the JWT and extracts user information from the token.

Here is how JWT based authentication works in real world:

JWT Advantages

Here are the key advantage of using JSON Web Token for authentication in your application:

Stateless: No need for a session store, making it easier to scale horizontally.
Portability: Can be used across multiple services and domains without a shared backend session store.

JWT Disadvantages

Invalidation challenges: Revoking a token before its expiration is complex.
Stale data: Once issued, the data in the token remains unchanged until it expires.
Larger payloads: JWTs can be bulky, increasing transmission costs.

Session vs. JWT: Which Is Better?

The classic software engineering answer applies here: “It depends.” I mean it depends upon your application and security requirements.

When to Use Sessions

If your application prioritizes session invalidation and real-time user state management.
When you want simplicity in managing logged-in users.

When to Use JWTs?

If scalability and portability across services are key.
When you want to minimize server dependency for authentication.

If you know this then you can use this information in your answer or ask questions to interviewer to showcase your deep understanding of this topic.

How to Answer this Question on Interview?

One of the ways interviewer judge candidates is their knowledge and insight and how they apply their knowledge to solve real world problem. If you can clearly explain the following points, you’ll stand out as a candidate:

The basic workflows of session-based and JWT-based authentication.
Key benefits and trade-offs of each approach.
Real-world scenarios where one approach might be more suitable than the other.

For example:

Highlight that sessions are ideal for apps requiring quick logout or state changes.
Explain how JWTs simplify scalability but require careful planning for invalidation.

If you can incorporate these points in your answers and articulate them clearly you can really impress your interviewer here.

Pro Tip: Be Ready for Follow-Up Questions

One way both smart candidates and interviewer go is drive interview by suggesting follow ups. As a candidate you must anticipate that interviewers may probe deeper, asking about:

Hybrid approaches, such as using both sessions and JWTs.
Securing JWTs (e.g., implementing short expiration times or using refresh tokens).
Handling edge cases like token theft or session hijacking.

So, ideally you should also be prepared with these topics and questions because if you cannot answer these questions then interviewer will think that you don’t have deep understanding of topic and technology and just come here by reading a blog post like this.

Of course you don’t want to come up like that. So be ready for follow ups.

That’s all about the difference between JWT and Session based authentication in real world. As I said, sessions are ideal for apps requiring quick logout or state changes and JWTs simplify scalability but require careful planning for invalidation.

If your application prioritizes session invalidation and real-time user state management then you should use Session based authentication and if scalability and portability across services are key, then JWT is a better option.

All the best with your System Design journey.