• Login
  • Register
Saturday, July 18, 2026
Generate QR Codes
Free PDF Tools
Free Web Audit 360
TechSansar.com
  • Services
  • Top Posts
  • Nepali IT
  • Startups
  • Tech News
  • Categories
    • News
      • Tech
No Result
View All Result
TechSansar.com
  • Services
  • Top Posts
  • Nepali IT
  • Startups
  • Tech News
  • Categories
    • News
      • Tech
No Result
View All Result
TechSansar.com

Session vs Token Authentication in Information Security

TechSansar Editor by TechSansar Editor
November 12, 2020
in Software
A A
1
session vs token

User authentication is a key concern for any modern web project. Not just web but authentication is used in almost every sector such as banking, governments, and many others. For the purpose of user authentication in web or mobile apps two main ways which are Session and Tokens. In this explanatory article, we discuss session vs token authentication necessity and mechanism.

Authentication is the process of verifying whether the user who they claim they are. Let’s consider a simple example of ABC Bank, before fully digging into session vs authentication chapter.

Authentication example where end-user attempts to login using username and password to the cloud-based backend of the banking service.
Authentication example where end-user attempts to login using username and password to the cloud-based backend of the banking service.

In the initial stage, a user is presented with the login screen as shown on the left side of the image. As the user enters the login credentials, the request is handled by the backend service and validates with the database or cloud server.

The authenticity of the login credentials are checked and the response is sent to the user by the backend. If the user is valid, a success request is sent and the user can access the services provided otherwise the authentication is not granted and the user cannot access the system.

As the access is granted a session is created in the database along with the login event and provides the session-id in form of a cookie.

Session – what is it?

The session can be defined as the way or method of authenticating a user without them having to type the username and password every time they need to access the system which requires authenticity.

The process begins with the user filling out their login credentials and submitting it to the server. The server validates and creates a session on the database and then responds with a session-id. The session-id is stored in the browser as cookies which will be sent back to the server on each subsequent request.

Then the server responds with the context that is authentic for the currently signed-in user. A stateful session is in between the client, backend, and the server.

Session-Based Authentication flow
Mechanism of Session Based Authentication flow
Mechanism of Session Based Authentication flow
Example of Session Management

Let’s take the example of Facebook. Initially, we need to type in our username and password to get into the website or mobile app to confirm that we are the owner of the account.

If there would be no service of session management, image how annoying it would be typing in username and password for every little thing such as uploading a picture, comments, likes, and so on.  This would be necessary if there was no session management system because Facebook wants to confirm that you are the account owner before doing those little things.

With the presence of session-id, Facebook knows the account belongs to us and thus lets us perform those operations without that login stuff.

Related Post

Power Automate is once again getting a new name! #PowerAutomate #Flow #Workflows

Create Watermark of image using PHP

Top 5 Programming Language to learn Nepal

The History of Windows – how did Microsoft Windows 10 evolved from Windows 1 in 20 years time?

Drawbacks of session-based authentication
  • Every authentication server creates a new session and stores it into the server. With the presence of an excessive number of users, it creates a heavy load onto the server.
  • As the session gets stored in the server memory, it creates a problem with scalability.
  • Vulnerable to CSRF (Cross-site request forgery) attack.

Token – what is it?

Token-based authentication is one of the better ways of authentications for secure and safe user verification. As the user enters the login credentials, the server creates a Token (JSON Web Token) which is created by the private key on the server.

As the Token is created from the server it is passed back to the browser and is stored in the local storage which reduces the load on the server.  Whenever the server requests authentication,  JWT is added to the authorization header prefix.

The signed header is used for validation upon server requests. Then the server only needs to validate the signature with the header. This is more robust when dealing with a distributed system in the cloud.

Token-Based Authentication flow
Mechanism of Token based authentication flow
Mechanism of Token based authentication flow
Pros of Token-Based Authentication
  • Tokens contain all the necessary information that is necessary for the validation. From a scalability point of view, it is great as it doesn’t load the server and no verification needs to be stored on the server.
  • Less risk of CSRF (Cross-site request forgery) attack.
  • We can easily transfer information between parties in a more convenient and more secure manner.
A basic example of JSON Web Token

jwt example

JWT encoded value is presented on the left side of the image. The encoded value consists of various components like header, payload, and verify the signature. With the use of payload, we can provide various information regarding the user regarding their roles and accessibility.

With a modern programming framework it becomes more efficient and more secure working with JSON Web Token.

Conclusion

As compared to session-based authentication, token-based authentication is much better and efficient to work with. Regarding core aspects like scalability, security, server load token-based authentication is more promising than session-based authentication.

In this comparison of token vs session based authentication, it maybe a developer’s preference but the wider and future scaling of application need might help you understand what to adopt at an early application development stage.

What’s your thought? Let’s discuss.

Tags: InfosecSecuritySupport
Share246Tweet133Send
Previous Post

Fix for “Sorry, another account from your organization is already signed in on this computer.”

Next Post

Why It Is Important to Consider Using Electronic Signature for Your Businesses

Related Posts

Power Automate app link menu
Software

Power Automate is once again getting a new name! #PowerAutomate #Flow #Workflows

Not a surprise, especially when Microsoft renames its tools. Power Automate, which was renamed as Microsoft Flows, will now be...

by tsGeek
July 24, 2024
watermark using php
How To

Create Watermark of image using PHP

Creating a watermark for normal individuals is not an easy task. For a professional designer, it is an easier task...

by TechSansar Editor
November 3, 2020

Comments 1

  1. Piotr Śródka says:
    5 years ago

    From the article it appears there is no difference between session and token.

Recent News

Gen Z Protest Kathmandu 2025

July 4, 2026
The Launch That Moved Syuchatar: YetiCloud.AI and the Night Nepal’s Compute Policy Went Public

The Launch That Moved Syuchatar: YetiCloud.AI and the Night Nepal’s Compute Policy Went Public

July 4, 2026
Illustrating Sovereign AI Compute in Nepal Syuchatar with circuitary

Syuchatar in Regional Context: A Policy Commentary on Sovereign AI Compute

May 31, 2026
Technical explainer on Nepal's announced Sovereign AI Compute Center at Syuchatar. What Budget 2083/84 specified, what it didn't, and the four design questions that decide its outcome.

Nepal’s Sovereign AI Compute Center at Syuchatar: A Technical Explainer

May 30, 2026
Hostinger
  • News
  • Tech
  • Event
Generate free QR Codes with QRSansar

TechSansar.com, ICT For Media Pvt Ltd, Regd #249079/077/078, VAT #609868175.
By continuing to use this site, you agree to our cookies and privacy policies.
Here is our Do Not Track (DNT) Guide. Hosted on a VPS and uses this free PDF tool. You can also subscribe to our newsletter.
Creating tech contents for the b̶o̶t̶s̶ humans since 2009 • Team TechSansar • ICT4M with ❤ from Nepal

Welcome Back!

Login to your account below

Forgotten Password? Sign Up

Create New Account!

Fill the forms below to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In
No Result
View All Result
  • Home page
  • Shop peripherals
  • Buy software
  • Featured articles
  • My account

TechSansar.com, ICT For Media Pvt Ltd, Regd #249079/077/078, VAT #609868175.
By continuing to use this site, you agree to our cookies and privacy policies.
Here is our Do Not Track (DNT) Guide. Hosted on a VPS and uses this free PDF tool. You can also subscribe to our newsletter.
Creating tech contents for the b̶o̶t̶s̶ humans since 2009 • Team TechSansar • ICT4M with ❤ from Nepal