JWT vs Session

Session

  • store session @ database

  • horizontal scale is an issue.

compare session_id in cookie & seesion in db.

JWT

  • no storage @ database

  • no scaling issue

token send to client -> token send back to server -> validate JWT

signature = Hash( data, secret );

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  secret)

Session

Token

Server storage

Yes

No

Scalability

difficult

No issue

Multiple device

problem from cross domains

No issue

Size

small

big

Expired

Easy

difficult

Claim

Claims are statements about an user and additional data.

{
  "sub": "1234567890",
  "name": "John Doe",
  "admin": true
}

Refresh Token

Access token

Refresh token

shorter-life

longer-life

resource server

auth server

-

save with higher security

-

use when new access token needed / expire access token

  1. When accessing important features, you need to re-enter password with refresh token.

PreviousIntroductionNextStream & Multipart

Last updated

Was this helpful?