{"id":1203509,"date":"2019-05-21T11:11:56","date_gmt":"2019-05-21T09:11:56","guid":{"rendered":"https:\/\/wp-rocket.me\/?p=1203509"},"modified":"2021-07-29T10:04:16","modified_gmt":"2021-07-29T08:04:16","slug":"difference-json-web-tokens-vs-session-cookies","status":"publish","type":"post","link":"https:\/\/wp-rocket.me\/blog\/difference-json-web-tokens-vs-session-cookies\/","title":{"rendered":"JSON Web Tokens vs. Session Cookies: What’s the Difference?"},"content":{"rendered":"

JSON Web Tokens and session cookies both offer user authentication for websites and apps, but they\u2019re not the same thing.
<\/p>

Below are more details on JSON web tokens and session cookies as well as the main differences between them.<\/p>

Similarities Between JSON Web Tokens and Session Cookies<\/h2>

Before getting into the differences between JSON web tokens and session cookies, it\u2019s essential to first understand their main similarity. They can both be used to authenticate users as well as when they click through to different pages, and after logging into a website or app.
<\/p>

Without them, for example, you would have to keep logging in after each page you click to visit.
<\/p>

The foundation of the web is the Hypertext Transfer Protocol (HTTP). It transmits data such as HTML documents.
<\/p>

It\u2019s also stateless. This means that when you visit a web page, then click through to another one on the same site, your previous actions aren\u2019t remembered in the server\u2019s memory.
<\/p>

So, if you logged in and visited another page that you should have access to, you would be forced to log in again since HTTP wouldn\u2019t keep a record of the fact that you just signed in.
<\/p>

Both JSON web tokens and sessions cookies resolve this issue by keeping certain user data authenticated at each new request.
<\/p>

In other words, both options keep your logged in status on record so you can browse as many password-protected pages of a website as you want without having to sign in again \u2013 at least for the duration of your visit, or until you log out.
<\/p>

Both JSON web tokens and session cookies are also secure options you can use.
<\/p>

That\u2019s about where the similarities end. So, what are the main differences between JSON web tokens and session cookies?<\/p>

What are Session Cookies?<\/h2>

Session cookies make use of session-based authentication<\/a>. A user\u2019s logged in state is saved in the server\u2019s memory.
<\/p>

After a user signs in, a session is securely created by the server. Then, that session ID is stored in a session cookie on the user\u2019s browser. While the user remains logged in, the cookie is sent with every subsequent request.
<\/p>

At each request, the server takes a look at the session cookie to read the session ID. If it matches the data stored in its memory, it sends a response back to the browser letting it know everything\u2019s okay and ready to go.
<\/p>

That\u2019s when the session is authenticated and the user is free to browse the password-protected page. When they click to another protected page, the process repeats.<\/p>

What are JSON Web Tokens?<\/h2>

JSON Web Token is often abbreviated to JWT and is commonly pronounced as \u201cjot.\u201d
<\/p>

A JSON web token takes JASON data, called a claim, and transfers it securely. It does this by cryptographically signing the claim. The signature is either symmetrically or asymmetrically signed, but both offer authentication.
<\/p>

This process is a form of token-based authentication.
<\/p>

JSON web tokens work in a similar way as a bank account number on a cheque, and the signature that\u2019s placed on it to approve the transfer of money with the cheque.
<\/p>

If you\u2019re renting an apartment and wanted to pay rent by cheque, your name attached to your bank account number is similar to a claim.
<\/p>

It\u2019s basic details about you that needs to be passed along if you want to pay your rent. It\u2019s similar to a claim because a claim would have a few details about you that\u2019s saved after you log in or otherwise have your identity authorized in order to visit password-protected pages.
<\/p>

You being able to use the website or app after logging in would be like paying your rent in this analogy.
<\/p>

The cheque would also include your signature. Your signature is specifically unique to you, and lets the bank know that you authorize the transaction. Because this signature is unique to you, the bank can be confident that you are who you say you are, and the transaction is able to go through.
<\/p>

Your signature on the cheque is like a JSON web token\u2019s cryptographic signature. In a JWT, this signature is able to authorize that it\u2019s definitely you wanting to access a site or an app.
<\/p>

But here\u2019s the kicker: What if your landlord or landlady didn\u2019t get your signed cheque with your bank account number and name? What if you paid rent by giving an envelope of cash with no other details?
<\/p>

Your landlord or landlady would get a building\u2019s worth of tenants all sending them envelopes of cash without any real way of being able to verify it\u2019s from you, or any of their tenants. Yikes! What a mess.
<\/p>

When you use JSON web tokens, it\u2019s like handing over a cheque to pay rent instead of an unmarked envelope of cash \u2013 your identity can be confidently authorized, and the process of paying rent can be completed.
<\/p>

With JSON web tokens, your identity is unequivocally verified, and you\u2019re able to continue browsing the website or app where you logged in.
<\/p>

It may also be important to note that a JSON web token consists of three main parts that are separated by periods: A header, payload, and signature.
<\/p>

For full details, check out Introduction to JSON Web Tokens<\/a>.<\/p>

\"A<\/figure>

Differences Between JSON Web Tokens and Session Cookies<\/h2>

Both JSON web tokens and session cookies offer secure forms of user authentication, which is great. But, how do they differ?
<\/p>

Detailed below are the specific and main differences between them.<\/p>

1. Cryptographic Signatures<\/h3>

JSON web tokens have cryptographic signatures, and that\u2019s not the case with session cookies.<\/p>

2. JSON is Stateless<\/h3>

JSON web tokens are stateless because claims are stored client-side, rather than in the server\u2019s memory.
<\/p>

Authentication can occur locally, instead of per request, where requests have to go through the server\u2019s database, or similar locations. This means that a user can be authenticated multiple times without having to communicate with the site or app\u2019s database, and without using up a lot of its resources in the process.<\/p>

3. Scalability<\/h3>

Because session cookies are stored in the server\u2019s memory, it has the potential of using a lot more resources if the website or app sees a lot of traffic. Because JSON web tokens are stateless, they can potentially save on server resources in many cases.
<\/p>

This also means that JSON web tokens tend to be a lot more scalable as a result.<\/p>

4. Authentication Across Multiple Locations<\/h3>

Session cookies only work across a single domain, or on its subdomains. If they try to go to a third party, browsers tend to disable them. This is particularly an issue if you want your website to have a secure connection with an API that uses a different domain.
<\/p>

With JSON web tokens, you can authenticate a user across multiple locations including multiple domains, mobile devices, and APIs to name a few. This is because they\u2019re stored locally in the request header.<\/p>

Which Should You Use?<\/h3>

While JSON web tokens and session cookies are both viable options, sometimes you may want to use one over the other.
<\/p>

For small to medium websites that just need to log a user in and access a few details that are stored in your site\u2019s database, session cookies are usually enough.
<\/p>

If you have an enterprise level site, app, or close to it, and you need to handle a lot of requests, especially with third parties, or a lot of third parties, including APIs at a different domain, JSON web tokens are more suitable.
<\/p>

Keep in mind that these are general recommendations since each website is different, and has its own specific needs. This should give you a head start on what you may want to use in your case.<\/p>

<\/div>\n\t