Web app Session managment patterns - JWT and session Ids

In web applications, session management is crucial for maintaining state and ensuring a smooth user experience across multiple interactions with the server. Here are some common session patterns used in web applications, explained in detail:

1. Server-Side Sessions

In server-side session management, the session data is stored on the server, and a session ID is sent to the client. The client uses this session ID for subsequent requests.

Process:

• Upon successful login, the server creates a session object and stores it in memory or a database.
• A session ID is generated and sent to the client, usually stored in a cookie.
• For subsequent requests, the client sends the session ID.
• The server retrieves the session data using the session ID and processes the request.

Advantages:

• Security: Session data is stored securely on the server. It's more secure than JWT that's why Banks use this.
• Smaller Client Payload: Only a session ID is stored on the client side, reducing the payload size.

Disadvantages:

• Scalability: Requires session replication or a centralized session store for load-balanced environments.
• State Management: The server needs to manage session expiration and cleanup.

2. Client-Side Sessions (Token-Based Authentication)

In client-side session management, the session data is stored on the client side, typically in the form of tokens. These tokens are usually JSON Web Tokens (JWTs) and are stored in the client’s local storage or cookies.

Process:

• Upon successful login, the server generates a token.
• The token is sent to the client and stored in local storage or a cookie.
• For subsequent requests, the client sends the token in the HTTP headers (usually the Authorization header).
• The server verifies the token and, if valid, processes the request.

Advantages:

• Scalability: As session data is stored on the client side, the server is stateless, making it easier to scale.
• Simplicity: No need for server-side session storage.

Disadvantages:

• Security: Tokens can be intercepted and misused if not properly secured.
• Token Size: Large tokens can increase the payload size of each request.

Important things to note

• Session Id and JWT can be used in parallel.
• Session Id and JWT token can be sent via Cookies or headers. Web browsers generally use cookies but scenario where services are talking to each other, JWT is preferred.
• JWT is modern way to authenticate and authorize users. One common example of JWT is when you sign in to app via Google Sign in or Facebook sign in. Here google authenticate the user and shares some data of user to third party app based on claims approved by user.
• JWT is also useful where cookies can not be used e.g. server-server communication