cookies vs jwt for auth

jwtAndCookies.md

Using session Cookie VS. JWT for Authentications

write your answers in the comments below:

• Can you explain the steps that take place when a user signs in to a website?

• Where are each of session/cookie and JWT data stored?

• Which technology is stateful and which is stateless and what is the different between both?

• What are the advantages and disadvantages of each of them in your opinion?

• Overall which one would you prefer to use and why?

Team members : @HishamWattar @fatimaali200 Gullied @radmanlo
1-login steps :
When a user clicks on the login button, the login/sign-in page will open. And when the user tries to log in with its credential, the server compares the data against the users’ database table. If the data is correct, the user gets logged in and. It also sets the user login session.
When authenticating the user, the user id gets stored in a session
2-Session data is stored on the server, cookies are stored on the client-side (usually in the browser), and JWT data is typically stored on the client-side as a token (in the browser's local or session storage).
3-Stateful technologies (e.g., traditional web applications using cookies and sessions) maintain information about the client's session, while stateless technologies (e.g., RESTful APIs) do not maintain any information about the client's session between requests. The main difference is that in a stateful system, the server manages and stores the state of the application or session data, while in a stateless system, the client sends all the necessary data with each request, and the server processes each request independently.
4-Advantages of stateful systems include personalized experiences and more complex functionality, but they can be more complex and less scalable. Advantages of stateless systems include simplicity, scalability, and fault tolerance, but they may require more data to be sent with each request and may not provide the same level of functionality as stateful systems. Ultimately, the choice between stateful and stateless systems depends on the specific needs and requirements of the application or system.
5-The choice between stateful and stateless systems depends on the specific needs and requirements of the application or system. If the application requires complex functionality and personalized experiences, and the ability to maintain user sessions across multiple requests, a stateful system may be more appropriate. However, if the application requires scalability, fault tolerance, and simplicity, a stateless system may be more appropriate. Ultimately, the choice between stateful and stateless systems should be based on a careful consideration of the specific requirements and constraints of the application, and the trade-offs between the advantages and disadvantages of each approach

@handedemirbay, @ilaydanurguzel1, Khaled Naes, and @0Rawan

1. step 1 User initiates sign-in step 2 Form submission step 3 Client-side validation step 4 Data transmission step 5 Server-side verification step 6 Authentication checks step 7 Session creation step 8 User authorization Step 9 The user redirected or logged in
2. Session data is stored on the server side, while cookies and JWT data are stored on the client side.
3. A stateless system sends a request to the server and relays the response (or the state) back without storing any information. On the other hand, stateful systems expect a response, track information, and resend the request if no response is received.
4. Advantages of Stateful Systems: -Enhanced Personalization -Session Management -Simplicity of -Data Access
   Disadvantages of Stateful Systems: -Scalability Challenges -Increased Server Overhead -Higher Coupling
   Advantages of Stateless Systems: -Scalability and Load Balancing -Improved Fault Tolerance -Simplified Maintenance
   Disadvantages of Stateless Systems: -Limited Personalization -Increased Data Transfer -Additional Complexity for Security
5. We would choose Stateless unless Security issues need to be solved
   

Team members: @houzifahabbo, @ahmadalashtar, @ahmadramin , Sara nafisa

1- Entering Credentials, Verifying Credentials, Authenticating user, API generating an authentication token, Authorizing user services.

2- Session and cookie data are stored in the browser's cookie storage system. The location of where JWT data is stored can vary and depends on the developer's preference. JWT data can be stored in cookies, local storage, or session storage.

3- Stateful technology retains information about a user's interactions, while stateless technology does not. Stateful technologies provide a personalized experience, but are more complex and difficult to scale, while stateless technologies are simpler and easier to scale, but do not provide the same level of personalization.

4- Stateful technology can provide a more personalized experience and can remember user preferences, but can be complex and difficult to scale. Stateless technology is simpler and easier to scale, but may not provide a personalized experience and requires more data to be transferred with each request. The choice between the two depends on the specific use case and requirements.

5- Even though stateful technology can be complex and difficult to scale, we prefer to use it because it can provide a more personalized experience and can remember user preferences.

@Eng.NUREDDIN , @baraah-berra ,Adib Naser, Mustafa Kraizim
1- The user submits their login credentials (e.g. username and password) to the server.
The server verifies the credentials by checking them against the stored user data in the database.
If the credentials are valid, the server creates a token, which contains information about the user, such as their ID, roles, and permissions.
In the case of session cookies, the server creates a session and sends back a response to the user's browser with a session ID stored in a cookie. The browser stores the session ID in a cookie and sends it along with each subsequent request to the server. The server uses the session ID to retrieve the user's session data from its memory or cache.
In the case of JWT, the server generates a JSON Web Token that contains the user information and signs it using a secret key. The server sends back the JWT to the user's browser in response.
The browser stores the JWT in local storage or in a cookie and sends it along with each subsequent request to the server.
The server validates the token' The server validates the token's signature and decodes the information it contains to authenticate the user and authorize their requests.

2- Both are stored on the client side usually in localStorage and it is sent as a unique key of that user when the user requests any data from the server or is performing any activity for that website. So, when the request is received by the server, it validates the JWT for every request that it is for that particular user only and then sends the required response back to the client.
3- The main difference between stateful and stateless authentication is that stateful authentication requires server-side storage of session data, which can create scalability and security challenges, while stateless authentication eliminates the need for server-side storage and allows for easier scaling and increased security. Additionally, stateless authentication can be used in distributed systems, while stateful authentication is generally limited to a single server or cluster.
Session-based authentication is stateful, while token-based authentication, including JWT, is stateless.
Stateful means that the server maintains information about the client's session, such as the user's identity and the contents of their shopping cart
Stateless means that the server does not store any session information, and each request from the client must contain all the necessary information, including the user's identity, in the request itself.

4- it's better from the user experience side to use stateful technology because the information is stored on the server side and the user can have continues sessions Cuz the information and preferences are stored on the server.
disadvantage: it's less secure because an attacker who gains access to the session can access the user data.
on the other hand, the stateless is faster but not precise.
the statfull technology, because the data is precise and the data stored within the server

Atakan Serbes, Nezir Aydin, Mohamad Zanab, Mustafa Noori

1. Request a protected resource, Server requests username and password, You input username + password, Server validates password and creates a session (session ID), the Session ID is sent to Client, Client stores session ID in cookie, User sends a request with cookie embedded with Session ID, Server validates the session by checking if session IDs match If the session is validated, the server returns the resource.
2. Session data is typically stored on the server side. When a user logs in, the server creates a session and assigns a unique session ID, which is sent to the user's browser and stored as a cookie. For each subsequent request, the browser sends this session ID back to the server, which uses it to retrieve the user's session data. The client stores the JWT in local storage and includes it in the HTTP header for subsequent requests.
3. Session-based authentication is stateful: Here, the server maintains the session data. When a user logs in, the server creates a session for that user and sends a session ID back to the client.
   Token-based authentication (e.g., JWT) is stateless: With token-based authentication, when a user logs in, the server creates a token for that user.
   The difference between stateful and stateless is that stateful means that the server stores information about the client’s session, while stateless means that the server does not store any information about the client’s session.
4. Session cookies are easier to implement but can be vulnerable to cross-site scripting (XSS) attacks. They are also stateful, which means that the server stores information about the client’s session. Reduced client storage: No need to store sensitive data on the client side, reducing the risk of data being exposed.
   JWT is more secure but requires more work to implement. They are also stateless, which means that the server does not store any information about the client’s session. Decoupling: The server and client are completely decoupled and the state is stored on the client side, making this method favorable for distributed systems.
5. Session cookies can be vulnerable to XSS attacks, also CSRF attacks. Session cookies can be difficult to scale to large number of users as each session requires server-side storage of the session state.
   In general, JWT is a better choice for modern web applications because it is more secure and scalable. However, session cookies may be a better choice for legacy applications or applications that require stateful sessions.

@masterofalune @noorin99 @abdulsalamhamandoush

1 - user point of view: enter your email/password into the input then click the button
programmer point of view: User initiates the session by logging in and providing credentials. Then, request is sent from the client side to
the server. The server validates the credentials. If they are correct, the server creates a session for user. The server sends a response back to
the client. The client application or web browser receives the server's response. It "may" store the session cookie or other authentication
tokens locally to maintain the user's sign-in state for future requests. User access granted finally
2 - Sessions and cookies are stored on the server and client-side , while JWT (JSON Web Tokens) are stored on the client-side.
3 - Stateful: Session cookies are used, and the server stores session data on the server-side.
Stateless: JWTs are used, and the server does not store session data.
4 - https://www.interviewbit.com/blog/stateful-vs-stateless/
5 - stateless ty :3, ezy to use modern library use it.

Ismail Dincer, Younes Nourzehi, Asli Sema Gultekin, Jimaa Maya

1-///A user reaches a login page on a website they have previously created an account with.
///The user provides their unique ID and key to verify their identity.
///The login credentials are sent to the server and checked against the originals stored in the website’s Database.
If they match, the user is authenticated and provided access to their account.
///The server sends a cookie to the user's browser and the browser stores it.

2-The session cookie is stored in temporary memory and is not retained after the browser is closed. Session cookies do not collect information from your computer.
A JWT needs to be stored in a safe place inside the user's browser. Any way,you shouldn't store a JWT in local storage (or session storage).

3-Stateful technologies:
Databases
File systems
Web servers
Email servers

Stateless technologies:
HTTP
TCP
UDP
DNS
-The main difference between stateful and stateless systems is in how they handle and store information about past interactions. Stateful systems maintain context and state information, while stateless systems do not.

4-

5-It depends if we want to keep track of the connection or high-level information, we prefer stateful, otherwise we go for stateless.

Abdulrahman Albakkar - Cansu Aysagdic - Omar Qaqish - Özlem Keleş
Q1-
Step 1: The user enters their credentials (username and password) on the website's login page.
Step 2: The website server receives the entered credentials and verifies them against the stored user data (usually in a database).
Step 3: If the credentials are valid, the server creates a session or generates a token (such as a JSON Web Token - JWT) to represent the user's authenticated state.
Step 4: The server sends the session ID or token back to the client (user's browser) as a response.
Step 5: The client stores the session ID or token, usually in a cookie or local storage.
Step 6: For subsequent requests, the client includes the session ID or token in the request headers to authenticate the user's identity.

Q2-
Cookies and Sessions are used to store information. Cookies are only stored on the client-side machine, while sessions get stored on the client as well as the server.
JWT data is self-contained and stored on the client-side. The token itself contains the necessary information (such as user ID, expiration time, etc.) and is typically stored in a client-side storage mechanism, such as local storage or a cookie.

Q3-
Stateful protocol keeps track of the connection information, and as a result, delivers superior performance because of continually keeping track of information.
Stateful protocols are more intuitive because they can maintain data on the server between two requests.
They can improve performance when data retrieval is required only once.
Session and cookie are stateful whereas JWT is stateless.

Q4-
Advantages of Stateful:

Stateful protocol keeps track of the connection information, and as a result, delivers superior performance because of continually keeping track of information.
Stateful protocols are more intuitive because they can maintain data on the server between two requests.
They can improve performance when data retrieval is required only once.
Disadvantages of Stateful:
Stateful protocol requires memory allocation in order to store data.
In the event of inefficient maintenance of session storage, there can be a decrease in the performance. It requires continuous management of the service’s full lifecycle.
These protocols are highly dependent on the server-side state.
Usually, stateful protocols require backing storage.
Since the state is maintained, stateful is not very secure.

Advantages of Stateless:
Improved visibility of the protocol as the system only needs to analyze a single request to understand its nature.
Easier recovery from partial failures, such as crashes, due to the absence of maintained state, leading to improved reliability.
Enhanced scalability as session state does not need to be stored between requests, allowing deployment to any number of servers and simplified implementation.
Requires fewer resources since there is no need to track communication over multiple lines or store session information.
Each communication is independent and unrelated to previous or subsequent ones, allowing individual packets of data to travel on their own.
Disadvantages of Stateless:
Additional information may need to be included in each request, requiring the server to interpret this new information.
May degrade network performance by increasing repetitive data delivery in a series of requests, which cannot be saved and reused.
Inherently less capable as they do not store information about a specific user session.

Q5-
The preference for using a stateful or stateless approach depends on various factors, including the specific requirements and constraints of the application, the desired scalability, and the development team's expertise. Both approaches have their own advantages and trade-offs, so there is no one-size-fits-all answer. However, I can provide some considerations to help you make an informed decision:

Stateful Approach:

Advantages:
Well-suited for applications with complex user sessions or workflows.
Easier to manage and manipulate session-specific data on the server-side.
Can offer more fine-grained control over user state and session management.
Trade-offs:
Requires server-side storage and session management, which can impact scalability and resource usage.
May introduce potential synchronization and consistency challenges in distributed environments.
Can be less suitable for stateless or distributed architectures, such as microservices or serverless setups.
Stateless Approach:

Advantages:
Simplicity and scalability due to the absence of server-side session storage.
Easier horizontal scalability and load balancing as there is no reliance on specific server instances.
Suitable for distributed architectures, microservices, and serverless setups.
Trade-offs:
Token-based authentication requires careful handling to ensure security and prevent token leakage.
May result in larger request payloads as all necessary information is included with each request.
Complex session management and workflows may require additional effort and design considerations.

Members: Iroda Yilmaz, Bedreddin Naser, Zeynep Dumlupinar, Zakarie Ali

1. First of all enter the credentials, then those credentials are sent to the authentication server and in the server if there is a match the user is allowed to log in. If there is no match there will be an error.
2. Session/Cookie are stored on users local devices RAM while JWT is stored inside the user's browser.
3. Cookies are stateful while JWT is stateless. The most significant distinction between stateful and stateless is that stateless do not “save” data, whereas stateful applications do. And as a result, the server doesn’t need to preserve server information or details of its sessions, whereas this needs to be done in stateful. In Stateful expects a response and if no answer is received, the request is resent while In stateless, the client sends a request to a server, which the server responds to based on the state of the request.
4. Advantages of Stateful

• Stateful protocol keeps track of the connection information, and as a result, delivers superior performance because of continually keeping track of information.
• Stateful protocols are more intuitive because they can maintain data on the server between two requests.
• They can improve performance when data retrieval is required only once.

Disadvantages of Stateful

• Stateful protocol requires memory allocation in order to store data.
• In the event of inefficient maintenance of session storage, there can be a decrease in the performance. It requires continuous management of the service’s full lifecycle.
• These protocols are highly dependent on the server-side state.
• Usually, stateful protocols require backing storage.
• Since the state is maintained, stateful is not very secure.

Advantages of Stateless

• Since the monitoring system does not have to look beyond a single request to determine its whole nature, visibility of the protocol is improved.
• It is easier to recover from partial failures like crashes since no state is maintained, which improves reliability.
• The server does not have to store session state between requests, hence, scalability is enhanced as deploying the services to any number of servers is possible, and implementation is simplified even more.
• It only necessitates a small number of resources because the system doesn’t need to keep track of communication over numerous lines, as well as session information.
• In Stateless Protocols, each individual communication is unconnected and distinct from the ones that come before or after it.
• Here, each packet of data travels on its own. There is no need to refer to another packet in these packets.

Disadvantages of Stateless

• It may be essential to include additional information in each request, and as a result, the server will need to interpret this new information.
• They may degrade network performance by increasing the amount of repetitive data delivered in a series of requests, which cannot be saved and reused.
• They are inherently less capable as they do not store information about a particular user session.

5. In most cases, stateless is a better option when compared with stateful. However, in the end, it all comes down to your requirements. If you only require information in a transient, rapid, and temporary manner, stateless is the way to go. Stateful, on the other hand, might be the way to go if your app requires more memory of what happens from one session to the next.

Room members: @sheidanouri @cyberRasam @afrakucukaydin Harith Riyadh

1- The user navigates to the website and clicks on the "Sign In" button or link.
The website presents a login page where the user can enter their credentials, such as their username and password.
The user enters their credentials and clicks on the "Sign In" button.
The website verifies the user's credentials by checking them against a database or other source of authentication information.
If the credentials are valid, the website creates a session for the user, which is typically represented by a unique session ID or token. This session is used to keep track of the user's activity on the website, such as the pages they visit and the actions they take.
The website redirects the user to their account dashboard or a landing page for authenticated users.
The user can now access the features and functionality that are available to authenticated users, such as their account information, preferences, or the ability to perform certain actions on the website.

2- Session and cookie data are typically stored on the client-side, while JWT data is typically stored on the server-side. Session data is typically stored on the server, although some implementations may use client-side storage options such as cookies or local storage. In contrast, JWT data is typically stored on the server-side.

3- A stateful system maintains information about the current state of the user's session or interaction. This means that the system stores data about the user's previous interactions with the system and uses that information to make decisions about what to do next.
A stateless system does not maintain information about the user's previous interactions. Instead, each request that the user makes to the system contains all the information needed to process that request, and the system does not store any information about the user's session or interaction.

4- In stateful systems, the server maintains information about the user's session, which allows the system to provide personalized experiences and remember user preferences. However, this can also make the system more complex and harder to scale, as the server must store and manage state information for each user. In contrast, stateless systems are simpler and easier to scale, but may require additional effort to implement user-specific features and preferences.

5- Stateful systems maintain information about the user's session or interaction, while stateless systems do not. Each approach has its own benefits and drawbacks, and the choice between them depends on the specific requirements of the system and the needs of its users.

@motaz99, @tareq, @rayan, @nour KRIMESH

1. 1. User submits login credentials
   2. Backend verifies user credentials
   3. Backend creates a session and stores session ID in a cookie
   4. Backend redirects user to dashboard/homepage
   5. For subsequent requests, browser includes session ID cookie in HTTP request headers
   6. Backend retrieves user's identity and information from session store/database using session ID
   7. When user logs out, backend destroys session by deleting session ID and associated data from session store/database and
      clearing session ID cookie from browser.
2. 1. Session data is stored on the server-side and identified through a session ID cookie on the client-side.
   2. Cookies are stored on the client-side and can hold login information, including session ID.
   3. JWT data is stored on the client-side, either in a cookie or local storage, and sent to the server with each request for
      authentication.
3. 1. Stateful technologies (like PHP, Ruby on Rails, and Django) maintain client-specific data on the server and use this data to
      process subsequent requests.
      2. Stateless technologies (like React and Vue) do not maintain any client-specific data on the server and treat each request as a
      new request.