HTTP is stateless. What is stateless? This means that HTTP does not remember the user, even if you have just logged in with your account and password, the next time you request it, you have to verify your identity again.

Session and token are commonly used for identity verification. They have their own advantages and disadvantages. Some people may doubt that cookies are only used to store data.

Session Authentication Mechanism

Certification process:

  • You have logged in to the server using the account and password
  • The server generates a session object and its corresponding session ID to record user session information and returns the session ID to the browser. The browser can use cookies, localStorage, or sessionStorage to store the session ID
  • The next time the browser sends a request to the server, it carries the sessionID
  • After receiving the sessionID, the server checks whether the corresponding session object exists. If yes, the authentication succeeds and data is returned. If no, the server needs to log in again

Session objects are stored on the server. After the client logs in, each request can be authenticated with the sessionID. However, if the server is distributed or clustered, the user logs in on server A and has to log in again the next time the request is sent to another server B. This is unacceptable. The solution is as follows:

  • Session persistence: Ensures that each client accesses the same server
  • Session replication: All session objects are copied to all servers
  • Session sharing: Stores all sessions on the same server

Either way, there is an additional cost and, as the number of users increases, the server will create a large number of session objects, which is a burden on the server.

Token Authentication Mechanism

Certification process:

  • You have logged in to the server using the account and password
  • The server generates a signed token with a specific algorithm and returns it to the client
  • The client stores the token and carries the token with each subsequent request
  • The server validates the token and returns data

Unlike session authentication, token authentication does not require anything to be stored on the server. In this sense, the server pressure does not increase as the number of users increases.

cookie

Cookies are not an authentication mechanism. They are in the same class as localStorage and sessionStorage. Since cookies are automatically attached to each HTTP request, they are often used to store user authentication data. It is because every HTTP request automatically carries a cookie that the CSRF problem arises. It is also very simple to solve the CSRF problem. Do not store user authentication information in a cookie.

conclusion

A session is like a roster. Every time you visit a server, you need to check whether the client is registered. Tokens are like ciphertext. Each time a server accesses a token, the server uses a specific algorithm to verify whether the token is valid. In contrast to session, the token uses the computing time of the server CPU in exchange for the server space to store the session object.

Link to this article on GitHub