Two ways to remember a logged in user
After login the server must recognize the user on later requests. Two models dominate.
Session based auth stores state on the server. After login the server creates a session record and returns a session id in a cookie. Each request sends the cookie, and the server looks up the session to find the user.
Token based auth is stateless on the server. The server issues a signed token, often a JWT, that contains the user's claims. Each request carries the token, and the server verifies the signature without any lookup.
The core trade off
- Sessions are easy to revoke: delete the server record and the session is dead immediately.
- Tokens scale horizontally with no shared session store, but a valid token stays usable until it expires, making instant revocation harder.
Sessions push state to the server; tokens push state to the client. Choosing depends on whether easy revocation or stateless scaling matters more.
Key idea
Session auth keeps state on the server for easy revocation, while token auth keeps state in a signed client token for stateless scaling but harder revocation.