TL;DR Session based authentication could be more secure but Token based authentication is faster and much easier to implement in mobile application. And You can implement Web-Farm with Token based easier than using Session.
Session based authentication vs Token based authentication
The introduction:
You know that, HTTP is stateless protocol. Each request as an independent transaction that is unrelated to any previous request. But, today, Web application is not something like that. You need manage the state of your visitor (manage the authentication state, the shopping carts,..). By using Cookie, Session,..they will help you to manage the state of your visitors.
In this post, I want to share you about how to store user identity (information to know who you are: user id, user name,…) in your Web Application.
In Web Application, there are many way to store User Identity, but in this post I will mention only 2 methods: Session based authentication, Token based authentication.
- Session based authentication: Present for storing user identity in Server side (It can be in In-Memory Session, State Server, SQL Session Server,…)
- Token based authentication: Present for storing user identity in Client side under encrypted form (store the token in Cookie, Local Storage, Client Memory, File System,…)
Comparison:
So, Session vs Token which one is better ?
The answer for a “which is better” question always is “it’s depend !”. It’s depend on your need. But in most scenario, using a Token have more benefit than Session.
| Session | Token |
|
Is more secure, Identity information (user id,..) is stored in Server side. Browsers just store Session_Id |
Less secure,
Token include your identity information, It depends on Cryptography. If the private key of the Cryptography is disclosed, Attacker can fake your identity. |
| Resource consuming, a session/state server is required(A session can be stored in the Memory, State-Server, SQL Server…) | Less resource consuming, It’s depend on encrypt/decrypt. The token often short, so it doesn’t cost much resource. |
| Not Web-farm friendly.
You can, but It’s more complex than using token. |
Web-farm friendly.
We can say that token is design for web-farm from beginning. |
| Slower
Not really good performance because of round-trip to looking session data in State Server. |
Faster
Because token often short. So decrypt a token would be faster than round-trip in Session State Server |
| Not mobile friendly | Mobile friendly |
| Session often depend on Cookie. Working with cookie in a mobile application can be a lite complex. | Token is much easier to implement than Cookie for a mobile application. |
| Not always persistence
Session life-time can be effected by State-Server Life-time/timeout. If your session is stored in Memory, Your sessions will we be cleared if your web-server(or web service ) is restarted. If you used Shared-host before. You can meet an issue that: “Despite your session have not be expired, It was cleared. Because of Web Service time-out”
|
Persistence
Token always alive. |
Conclusion:
So, which one would we use ?.
It’s up to you. But, in my opinion:
- Use Token for Authentication.
- Use Session for storing a “Session data”.
If you are using Token for Authentication. I have a question : “In Web application, which storage we should use ? Cookie, Local-Storage, Session-Storage ?“
Hung Doan 