search

JWT vs Session

hashtag
Session

  • store session @ database

  • horizontal scale is an issue.

compare session_id in cookie & seesion in db.

hashtag
JWT

  • no storage @ database

  • no scaling issue

token send to client -> token send back to server -> validate JWT

signature = Hash( data, secret );

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  secret)

Session

Token

Server storage

Yes

No

Scalability

difficult

No issue

Multiple device

problem from cross domains

No issue

Size

small

big

Expired

Easy

difficult

hashtag
Claim

Claims are statements about an user and additional data.

hashtag
Refresh Token

Access token

Refresh token

shorter-life

longer-life

resource server

auth server

-

save with higher security

-

use when new access token needed / expire access token

  1. When accessing important features, you need to re-enter password with refresh token.

hashtag

PreviousIntroductionNextStream & Multipart

Last updated