cookies vs jwt for auth

jwtAndCookies.md

Using session Cookie VS. JWT for Authentications

write your answers in the comments below:

• Can you explain the steps that take place when a user signs in to a website?

• Where are each of session/cookie and JWT data stored?

• Which technology is stateful and which is stateless and what is the different between both?

• What are the advantages and disadvantages of each of them in your opinion?

• Overall which one would you prefer to use and why?

Atakan Serbes, Nezir Aydin, Mohamad Zanab, Mustafa Noori

1. Request a protected resource, Server requests username and password, You input username + password, Server validates password and creates a session (session ID), the Session ID is sent to Client, Client stores session ID in cookie, User sends a request with cookie embedded with Session ID, Server validates the session by checking if session IDs match If the session is validated, the server returns the resource.
2. Session data is typically stored on the server side. When a user logs in, the server creates a session and assigns a unique session ID, which is sent to the user's browser and stored as a cookie. For each subsequent request, the browser sends this session ID back to the server, which uses it to retrieve the user's session data. The client stores the JWT in local storage and includes it in the HTTP header for subsequent requests.
3. Session-based authentication is stateful: Here, the server maintains the session data. When a user logs in, the server creates a session for that user and sends a session ID back to the client.
   Token-based authentication (e.g., JWT) is stateless: With token-based authentication, when a user logs in, the server creates a token for that user.
   The difference between stateful and stateless is that stateful means that the server stores information about the client’s session, while stateless means that the server does not store any information about the client’s session.
4. Session cookies are easier to implement but can be vulnerable to cross-site scripting (XSS) attacks. They are also stateful, which means that the server stores information about the client’s session. Reduced client storage: No need to store sensitive data on the client side, reducing the risk of data being exposed.
   JWT is more secure but requires more work to implement. They are also stateless, which means that the server does not store any information about the client’s session. Decoupling: The server and client are completely decoupled and the state is stored on the client side, making this method favorable for distributed systems.
5. Session cookies can be vulnerable to XSS attacks, also CSRF attacks. Session cookies can be difficult to scale to large number of users as each session requires server-side storage of the session state.
   In general, JWT is a better choice for modern web applications because it is more secure and scalable. However, session cookies may be a better choice for legacy applications or applications that require stateful sessions.

@masterofalune @noorin99 @abdulsalamhamandoush

1 - user point of view: enter your email/password into the input then click the button
programmer point of view: User initiates the session by logging in and providing credentials. Then, request is sent from the client side to
the server. The server validates the credentials. If they are correct, the server creates a session for user. The server sends a response back to
the client. The client application or web browser receives the server's response. It "may" store the session cookie or other authentication
tokens locally to maintain the user's sign-in state for future requests. User access granted finally
2 - Sessions and cookies are stored on the server and client-side , while JWT (JSON Web Tokens) are stored on the client-side.
3 - Stateful: Session cookies are used, and the server stores session data on the server-side.
Stateless: JWTs are used, and the server does not store session data.
4 - https://www.interviewbit.com/blog/stateful-vs-stateless/
5 - stateless ty :3, ezy to use modern library use it.

Ismail Dincer, Younes Nourzehi, Asli Sema Gultekin, Jimaa Maya

1-///A user reaches a login page on a website they have previously created an account with.
///The user provides their unique ID and key to verify their identity.
///The login credentials are sent to the server and checked against the originals stored in the website’s Database.
If they match, the user is authenticated and provided access to their account.
///The server sends a cookie to the user's browser and the browser stores it.

2-The session cookie is stored in temporary memory and is not retained after the browser is closed. Session cookies do not collect information from your computer.
A JWT needs to be stored in a safe place inside the user's browser. Any way,you shouldn't store a JWT in local storage (or session storage).

3-Stateful technologies:
Databases
File systems
Web servers
Email servers

Stateless technologies:
HTTP
TCP
UDP
DNS
-The main difference between stateful and stateless systems is in how they handle and store information about past interactions. Stateful systems maintain context and state information, while stateless systems do not.

4-

5-It depends if we want to keep track of the connection or high-level information, we prefer stateful, otherwise we go for stateless.

Abdulrahman Albakkar - Cansu Aysagdic - Omar Qaqish - Özlem Keleş
Q1-
Step 1: The user enters their credentials (username and password) on the website's login page.
Step 2: The website server receives the entered credentials and verifies them against the stored user data (usually in a database).
Step 3: If the credentials are valid, the server creates a session or generates a token (such as a JSON Web Token - JWT) to represent the user's authenticated state.
Step 4: The server sends the session ID or token back to the client (user's browser) as a response.
Step 5: The client stores the session ID or token, usually in a cookie or local storage.
Step 6: For subsequent requests, the client includes the session ID or token in the request headers to authenticate the user's identity.

Q2-
Cookies and Sessions are used to store information. Cookies are only stored on the client-side machine, while sessions get stored on the client as well as the server.
JWT data is self-contained and stored on the client-side. The token itself contains the necessary information (such as user ID, expiration time, etc.) and is typically stored in a client-side storage mechanism, such as local storage or a cookie.

Q3-
Stateful protocol keeps track of the connection information, and as a result, delivers superior performance because of continually keeping track of information.
Stateful protocols are more intuitive because they can maintain data on the server between two requests.
They can improve performance when data retrieval is required only once.
Session and cookie are stateful whereas JWT is stateless.

Q4-
Advantages of Stateful:

Stateful protocol keeps track of the connection information, and as a result, delivers superior performance because of continually keeping track of information.
Stateful protocols are more intuitive because they can maintain data on the server between two requests.
They can improve performance when data retrieval is required only once.
Disadvantages of Stateful:
Stateful protocol requires memory allocation in order to store data.
In the event of inefficient maintenance of session storage, there can be a decrease in the performance. It requires continuous management of the service’s full lifecycle.
These protocols are highly dependent on the server-side state.
Usually, stateful protocols require backing storage.
Since the state is maintained, stateful is not very secure.

Advantages of Stateless:
Improved visibility of the protocol as the system only needs to analyze a single request to understand its nature.
Easier recovery from partial failures, such as crashes, due to the absence of maintained state, leading to improved reliability.
Enhanced scalability as session state does not need to be stored between requests, allowing deployment to any number of servers and simplified implementation.
Requires fewer resources since there is no need to track communication over multiple lines or store session information.
Each communication is independent and unrelated to previous or subsequent ones, allowing individual packets of data to travel on their own.
Disadvantages of Stateless:
Additional information may need to be included in each request, requiring the server to interpret this new information.
May degrade network performance by increasing repetitive data delivery in a series of requests, which cannot be saved and reused.
Inherently less capable as they do not store information about a specific user session.

Q5-
The preference for using a stateful or stateless approach depends on various factors, including the specific requirements and constraints of the application, the desired scalability, and the development team's expertise. Both approaches have their own advantages and trade-offs, so there is no one-size-fits-all answer. However, I can provide some considerations to help you make an informed decision:

Stateful Approach:

Advantages:
Well-suited for applications with complex user sessions or workflows.
Easier to manage and manipulate session-specific data on the server-side.
Can offer more fine-grained control over user state and session management.
Trade-offs:
Requires server-side storage and session management, which can impact scalability and resource usage.
May introduce potential synchronization and consistency challenges in distributed environments.
Can be less suitable for stateless or distributed architectures, such as microservices or serverless setups.
Stateless Approach:

Advantages:
Simplicity and scalability due to the absence of server-side session storage.
Easier horizontal scalability and load balancing as there is no reliance on specific server instances.
Suitable for distributed architectures, microservices, and serverless setups.
Trade-offs:
Token-based authentication requires careful handling to ensure security and prevent token leakage.
May result in larger request payloads as all necessary information is included with each request.
Complex session management and workflows may require additional effort and design considerations.

Members: Iroda Yilmaz, Bedreddin Naser, Zeynep Dumlupinar, Zakarie Ali

1. First of all enter the credentials, then those credentials are sent to the authentication server and in the server if there is a match the user is allowed to log in. If there is no match there will be an error.
2. Session/Cookie are stored on users local devices RAM while JWT is stored inside the user's browser.
3. Cookies are stateful while JWT is stateless. The most significant distinction between stateful and stateless is that stateless do not “save” data, whereas stateful applications do. And as a result, the server doesn’t need to preserve server information or details of its sessions, whereas this needs to be done in stateful. In Stateful expects a response and if no answer is received, the request is resent while In stateless, the client sends a request to a server, which the server responds to based on the state of the request.
4. Advantages of Stateful

• Stateful protocol keeps track of the connection information, and as a result, delivers superior performance because of continually keeping track of information.
• Stateful protocols are more intuitive because they can maintain data on the server between two requests.
• They can improve performance when data retrieval is required only once.

Disadvantages of Stateful

• Stateful protocol requires memory allocation in order to store data.
• In the event of inefficient maintenance of session storage, there can be a decrease in the performance. It requires continuous management of the service’s full lifecycle.
• These protocols are highly dependent on the server-side state.
• Usually, stateful protocols require backing storage.
• Since the state is maintained, stateful is not very secure.

Advantages of Stateless

• Since the monitoring system does not have to look beyond a single request to determine its whole nature, visibility of the protocol is improved.
• It is easier to recover from partial failures like crashes since no state is maintained, which improves reliability.
• The server does not have to store session state between requests, hence, scalability is enhanced as deploying the services to any number of servers is possible, and implementation is simplified even more.
• It only necessitates a small number of resources because the system doesn’t need to keep track of communication over numerous lines, as well as session information.
• In Stateless Protocols, each individual communication is unconnected and distinct from the ones that come before or after it.
• Here, each packet of data travels on its own. There is no need to refer to another packet in these packets.

Disadvantages of Stateless

• It may be essential to include additional information in each request, and as a result, the server will need to interpret this new information.
• They may degrade network performance by increasing the amount of repetitive data delivered in a series of requests, which cannot be saved and reused.
• They are inherently less capable as they do not store information about a particular user session.

5. In most cases, stateless is a better option when compared with stateful. However, in the end, it all comes down to your requirements. If you only require information in a transient, rapid, and temporary manner, stateless is the way to go. Stateful, on the other hand, might be the way to go if your app requires more memory of what happens from one session to the next.

Room members: @sheidanouri @cyberRasam @afrakucukaydin Harith Riyadh

1- The user navigates to the website and clicks on the "Sign In" button or link.
The website presents a login page where the user can enter their credentials, such as their username and password.
The user enters their credentials and clicks on the "Sign In" button.
The website verifies the user's credentials by checking them against a database or other source of authentication information.
If the credentials are valid, the website creates a session for the user, which is typically represented by a unique session ID or token. This session is used to keep track of the user's activity on the website, such as the pages they visit and the actions they take.
The website redirects the user to their account dashboard or a landing page for authenticated users.
The user can now access the features and functionality that are available to authenticated users, such as their account information, preferences, or the ability to perform certain actions on the website.

2- Session and cookie data are typically stored on the client-side, while JWT data is typically stored on the server-side. Session data is typically stored on the server, although some implementations may use client-side storage options such as cookies or local storage. In contrast, JWT data is typically stored on the server-side.

3- A stateful system maintains information about the current state of the user's session or interaction. This means that the system stores data about the user's previous interactions with the system and uses that information to make decisions about what to do next.
A stateless system does not maintain information about the user's previous interactions. Instead, each request that the user makes to the system contains all the information needed to process that request, and the system does not store any information about the user's session or interaction.

4- In stateful systems, the server maintains information about the user's session, which allows the system to provide personalized experiences and remember user preferences. However, this can also make the system more complex and harder to scale, as the server must store and manage state information for each user. In contrast, stateless systems are simpler and easier to scale, but may require additional effort to implement user-specific features and preferences.

5- Stateful systems maintain information about the user's session or interaction, while stateless systems do not. Each approach has its own benefits and drawbacks, and the choice between them depends on the specific requirements of the system and the needs of its users.

@motaz99, @tareq, @rayan, @nour KRIMESH

1. 1. User submits login credentials
   2. Backend verifies user credentials
   3. Backend creates a session and stores session ID in a cookie
   4. Backend redirects user to dashboard/homepage
   5. For subsequent requests, browser includes session ID cookie in HTTP request headers
   6. Backend retrieves user's identity and information from session store/database using session ID
   7. When user logs out, backend destroys session by deleting session ID and associated data from session store/database and
      clearing session ID cookie from browser.
2. 1. Session data is stored on the server-side and identified through a session ID cookie on the client-side.
   2. Cookies are stored on the client-side and can hold login information, including session ID.
   3. JWT data is stored on the client-side, either in a cookie or local storage, and sent to the server with each request for
      authentication.
3. 1. Stateful technologies (like PHP, Ruby on Rails, and Django) maintain client-specific data on the server and use this data to
      process subsequent requests.
      2. Stateless technologies (like React and Vue) do not maintain any client-specific data on the server and treat each request as a
      new request.