Skip to main content
HashnodeDipanshu Dns Record

Command Palette

Search for a command to run...

Sessions vs JWT vs Cookies: Understanding Authentication Approaches

Updated
5 min read
D
Dipanshu Kumar Sah
Passionate about JavaScript, backend development, and building real-world projects. Currently learning and sharing concepts like async/await, promises, and core JS fundamentals. Open to internships and collaboration

Authentication is the backbone of any secure web application. Whether you’re building a social media platform, an e-commerce store, or a SaaS product, you must answer one critical question:

How do you verify and maintain a user’s identity across requests?

This is where Sessions, JWT (JSON Web Tokens), and Cookies come into play. These are the three most commonly used approaches for handling authentication in modern web development, especially in environments like Node.js and Express.js.

In this detailed blog, we’ll break down each approach, compare them, and help you decide which one to use in real-world applications.

What is Authentication? Authentication is the process of verifying who a user is.

Example:

User logs in with email/password

Server verifies credentials

Server maintains user identity for future requests

Understanding Cookies What are Cookies? Cookies are small pieces of data stored in the user’s browser. They are automatically sent with every HTTP request to the server.

Example: Set-Cookie: userId=12345

How Cookies Work User logs in

Server sends a cookie

Browser stores it

Browser sends cookie with every request

Types of Cookies Session Cookies → deleted when browser closes

Persistent Cookies → stored for a defined time

HttpOnly Cookies → not accessible via JavaScript

Secure Cookies → sent only over HTTPS

Advantages of Cookies Easy to implement

Automatically managed by browser

Works well with sessions

Disadvantages of Cookies Limited storage (~4KB)

Vulnerable to XSS (Cross-Site Scripting)

Can be intercepted if not secure

Session-Based Authentication What are Sessions? A session is a server-side storage mechanism that keeps track of user data.

Instead of storing user info in the browser, the server stores it and assigns a session ID.

How Sessions Work User logs in

Server creates session (stored in memory/database)

Server sends session ID via cookie

Browser sends session ID with each request

Server retrieves session data

Example in Express Using express-session:

const session = require("express-session");

app.use(session({ secret: "mySecretKey", resave: false, saveUninitialized: true }));

app.post("/login", (req, res) => { req.session.user = { id: 1, name: "Kanishka" }; res.send("Logged in"); });

app.get("/profile", (req, res) => { if (req.session.user) { res.send(req.session.user); } else { res.send("Not logged in"); } });

Advantages of Sessions More secure (data stored on server)

Easy to invalidate (logout = destroy session)

Works well with traditional web apps

Disadvantages of Sessions Requires server memory

Not scalable without external storage (like Redis)

Slower in distributed systems

JWT (JSON Web Token) Authentication What is JWT? A JWT is a self-contained token that stores user information and is digitally signed.

Popular library: jsonwebtoken

Structure of JWT A JWT has 3 parts:

Header.Payload.Signature

Example:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

How JWT Works User logs in

Server generates JWT

Token is sent to client

Client stores token (cookie/localStorage)

Client sends token with each request

Server verifies token

Example in Express const jwt = require("jsonwebtoken");

app.post("/login", (req, res) => { const user = { id: 1, name: "Kanishka" };

const token = jwt.sign(user, "secretKey", { expiresIn: "1h" });

res.json({ token }); });

app.get("/profile", (req, res) => { const token = req.headers.authorization;

jwt.verify(token, "secretKey", (err, decoded) => { if (err) return res.send("Invalid token"); res.send(decoded); }); });

Advantages of JWT Stateless (no server storage needed)

Scalable (ideal for microservices)

Fast performance

Can be used across multiple services

Disadvantages of JWT Cannot easily revoke tokens

Larger payload size

Security risks if stored improperly

Sessions vs JWT vs Cookies Let’s compare them side by side:

Feature Sessions JWT Cookies Storage Server-side Client-side Client-side Scalability Low (needs shared storage) High Medium Security High Medium (depends on storage) Medium Performance Slower Faster Fast Revocation Easy Difficult Depends Use Case Traditional apps APIs, microservices Storage mechanism Relationship Between Them Many developers get confused, but here’s the truth:

👉 Cookies are just a storage mechanism 👉 Sessions and JWT are authentication strategies

Common combinations: Session + Cookie

Store session ID in cookie JWT + Cookie

Store token in HttpOnly cookie JWT + LocalStorage

Store token in browser storage Security Considerations

  1. XSS (Cross-Site Scripting) Attackers inject scripts

Can steal tokens from localStorage

✅ Solution:

Use HttpOnly cookies 2. CSRF (Cross-Site Request Forgery) Exploits automatic cookie sending ✅ Solution:

CSRF tokens

SameSite cookies

  1. Token Leakage Avoid storing JWT in localStorage for sensitive apps

  2. HTTPS Usage Always use:

Secure; HttpOnly

When to Use What? ✅ Use Sessions When: Building traditional web apps

You need strong security

Server-side rendering

✅ Use JWT When: Building REST APIs

Microservices architecture

Mobile apps

✅ Use Cookies When: You need automatic request handling

Storing session IDs or tokens

Real-World Examples

  1. Banking Application Uses Sessions

High security required

  1. Social Media Platform JWT for APIs

Cookies for browser storage

  1. SaaS Dashboard JWT + refresh tokens Advanced Concepts Refresh Tokens Used with JWT to maintain sessions:

Short-lived access token

Long-lived refresh token

Token Rotation Generate new tokens frequently

Improve security

Session Storage Options Memory (default)

Redis

Databases

Common Mistakes ❌ Storing JWT in localStorage without protection

❌ Not using HTTPS

❌ Ignoring token expiration

❌ Not validating sessions properly

Conclusion Authentication is not just about logging users in—it’s about maintaining trust and security throughout the user’s journey.

Sessions → Secure but less scalable

JWT → Scalable but requires careful handling

Cookies → Storage mechanism, not authentication itself

Choosing the right approach depends on your application type, scalability needs, and security requirements.

Final Thoughts In modern development with Node.js and Express.js:

Use Sessions for simplicity and security

Use JWT for scalability and APIs

Use Cookies wisely for storage

A smart combination often works best.

#session#jwt#nodejs#chaicode#web-development#full-stack

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

Dipanshu Dns Record

52 posts