How Authentication Works: JWT vs Sessions Explained

Source: Dev.to

What Is Authentication?

Authentication is the process of verifying a user’s identity before granting access to a system.

For example, when a user logs into a website:

• The user enters credentials (email/password)
• The server verifies those credentials
• The server creates a way to remember the user’s identity for future requests

The third step is where sessions or JWT tokens come into play.

Session-Based Authentication

How Sessions Work

When a user logs in:

1. The user sends login credentials to the server.
2. The server verifies them.
3. The server creates a session on the server.
4. A session ID is sent back to the browser as a cookie.
5. The browser sends this cookie with every request.

The server then checks the session ID to determine whether the user is authenticated.

Advantages of Session Authentication

• Simple to implement
• Easy to revoke sessions
• Secure when using HTTP‑only cookies
• Well supported by frameworks

Limitations

• Sessions require server‑side storage
• Harder to scale in distributed systems
• Requires session synchronization across servers

JWT Authentication

JWT (JSON Web Token) authentication is commonly used in modern APIs, microservices, and mobile applications.

Instead of storing session data on the server, JWT stores authentication information inside the token itself.

What Is a JWT?

A JWT is a compact, secure token used to transmit information between a client and a server.

A typical JWT consists of three parts:

1. Header – describes the token type and signing algorithm.
2. Payload – contains the claims (e.g., user ID, expiration).
3. Signature – verifies that the token hasn’t been tampered with.