Session vs Cookie/Token based authentication

TL;DR Session based authentication could be more secure but Token based authentication is faster and much easier to implement in mobile application. And You can implement Web-Farm with Token based easier than using Session.

Session based authentication vs Token based authentication

The introduction:

You know that, HTTP is stateless protocol. Each request as an independent transaction that is unrelated to any previous request. But, today, Web application is not something like that. You need manage the state of your visitor (manage the authentication state, the shopping carts,..). By using Cookie, Session,..they will help you to manage the state of your visitors.

In this post, I want to share you about how to store user identity (information to know who you are: user id, user name,…) in your Web Application.

In Web Application, there are many way to store User Identity,  but in this post I will mention only 2 methods: Session based authentication, Token based authentication.

  • Session based authentication: Present for storing user identity in Server side (It can be in In-Memory Session, State Server,  SQL Session Server,…)
  • Token based authentication: Present for storing user identity in Client side under encrypted form (store the token in Cookie, Local Storage, Client Memory, File System,…)


So, Session vs Token which one is better ?

The answer for a “which is better” question always is  “it’s depend !”. It’s depend on your need. But in most scenario, using a Token have more benefit than Session.

Session Token

Is more secure,

Identity information (user id,..) is stored in Server side. Browsers just store Session_Id

Less secure,

Token include your identity information, It depends on Cryptography.

If the private key of the Cryptography is disclosed, Attacker can fake your identity.

Resource consuming, a session/state server is required(A session can be stored in the Memory, State-Server, SQL Server…) Less resource consuming,
It’s depend on encrypt/decrypt. The token often short, so it doesn’t cost much resource.
Not Web-farm friendly.

You can, but It’s more complex than using token.

Web-farm friendly.

We can say that token is design for web-farm from beginning.


Not really good performance because of round-trip to looking session data in State Server.


Because token often short. So decrypt a token would be faster than round-trip in Session State Server

Not mobile friendly Mobile friendly
Session often depend on Cookie. Working with cookie in a mobile application can be a lite complex. Token is much easier to implement than Cookie for a mobile application.
Not always persistence

Session life-time can be effected by State-Server Life-time/timeout.

If your session is stored in Memory, Your sessions will we be cleared if your web-server(or web service ) is restarted.

If you used Shared-host before. You can meet an issue that: “Despite your session have not be expired, It was cleared. Because of Web Service time-out”



Token always alive.



So, which one would we use ?.

It’s up to you. But, in my opinion:

  • Use Token for Authentication.
  • Use Session for storing a “Session data”.

If you are using Token for Authentication. I have a  question : “In Web application, which storage we should use ? Cookie, Local-Storage, Session-Storage ?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.