cookies vs jwt for auth

jwtAndCookies.md

Using session Cookie VS. JWT for Authentications

write your answers in the comments below:

• Can you explain the steps that take place when a user signs in to a website?

• Where are each of session/cookie and JWT data stored?

• Which technology is stateful and which is stateless and what is the different between both?

• What are the advantages and disadvantages of each of them in your opinion?

• Overall which one would you prefer to use and why?

Members: Iroda Yilmaz, Bedreddin Naser, Zeynep Dumlupinar, Zakarie Ali

1. First of all enter the credentials, then those credentials are sent to the authentication server and in the server if there is a match the user is allowed to log in. If there is no match there will be an error.
2. Session/Cookie are stored on users local devices RAM while JWT is stored inside the user's browser.
3. Cookies are stateful while JWT is stateless. The most significant distinction between stateful and stateless is that stateless do not “save” data, whereas stateful applications do. And as a result, the server doesn’t need to preserve server information or details of its sessions, whereas this needs to be done in stateful. In Stateful expects a response and if no answer is received, the request is resent while In stateless, the client sends a request to a server, which the server responds to based on the state of the request.
4. Advantages of Stateful

• Stateful protocol keeps track of the connection information, and as a result, delivers superior performance because of continually keeping track of information.
• Stateful protocols are more intuitive because they can maintain data on the server between two requests.
• They can improve performance when data retrieval is required only once.

Disadvantages of Stateful

• Stateful protocol requires memory allocation in order to store data.
• In the event of inefficient maintenance of session storage, there can be a decrease in the performance. It requires continuous management of the service’s full lifecycle.
• These protocols are highly dependent on the server-side state.
• Usually, stateful protocols require backing storage.
• Since the state is maintained, stateful is not very secure.

Advantages of Stateless

• Since the monitoring system does not have to look beyond a single request to determine its whole nature, visibility of the protocol is improved.
• It is easier to recover from partial failures like crashes since no state is maintained, which improves reliability.
• The server does not have to store session state between requests, hence, scalability is enhanced as deploying the services to any number of servers is possible, and implementation is simplified even more.
• It only necessitates a small number of resources because the system doesn’t need to keep track of communication over numerous lines, as well as session information.
• In Stateless Protocols, each individual communication is unconnected and distinct from the ones that come before or after it.
• Here, each packet of data travels on its own. There is no need to refer to another packet in these packets.

Disadvantages of Stateless

• It may be essential to include additional information in each request, and as a result, the server will need to interpret this new information.
• They may degrade network performance by increasing the amount of repetitive data delivered in a series of requests, which cannot be saved and reused.
• They are inherently less capable as they do not store information about a particular user session.

5. In most cases, stateless is a better option when compared with stateful. However, in the end, it all comes down to your requirements. If you only require information in a transient, rapid, and temporary manner, stateless is the way to go. Stateful, on the other hand, might be the way to go if your app requires more memory of what happens from one session to the next.

Room members: @sheidanouri @cyberRasam @afrakucukaydin Harith Riyadh

1- The user navigates to the website and clicks on the "Sign In" button or link.
The website presents a login page where the user can enter their credentials, such as their username and password.
The user enters their credentials and clicks on the "Sign In" button.
The website verifies the user's credentials by checking them against a database or other source of authentication information.
If the credentials are valid, the website creates a session for the user, which is typically represented by a unique session ID or token. This session is used to keep track of the user's activity on the website, such as the pages they visit and the actions they take.
The website redirects the user to their account dashboard or a landing page for authenticated users.
The user can now access the features and functionality that are available to authenticated users, such as their account information, preferences, or the ability to perform certain actions on the website.

2- Session and cookie data are typically stored on the client-side, while JWT data is typically stored on the server-side. Session data is typically stored on the server, although some implementations may use client-side storage options such as cookies or local storage. In contrast, JWT data is typically stored on the server-side.

3- A stateful system maintains information about the current state of the user's session or interaction. This means that the system stores data about the user's previous interactions with the system and uses that information to make decisions about what to do next.
A stateless system does not maintain information about the user's previous interactions. Instead, each request that the user makes to the system contains all the information needed to process that request, and the system does not store any information about the user's session or interaction.

4- In stateful systems, the server maintains information about the user's session, which allows the system to provide personalized experiences and remember user preferences. However, this can also make the system more complex and harder to scale, as the server must store and manage state information for each user. In contrast, stateless systems are simpler and easier to scale, but may require additional effort to implement user-specific features and preferences.

5- Stateful systems maintain information about the user's session or interaction, while stateless systems do not. Each approach has its own benefits and drawbacks, and the choice between them depends on the specific requirements of the system and the needs of its users.

@motaz99, @tareq, @rayan, @nour KRIMESH

1. 1. User submits login credentials
   2. Backend verifies user credentials
   3. Backend creates a session and stores session ID in a cookie
   4. Backend redirects user to dashboard/homepage
   5. For subsequent requests, browser includes session ID cookie in HTTP request headers
   6. Backend retrieves user's identity and information from session store/database using session ID
   7. When user logs out, backend destroys session by deleting session ID and associated data from session store/database and
      clearing session ID cookie from browser.
2. 1. Session data is stored on the server-side and identified through a session ID cookie on the client-side.
   2. Cookies are stored on the client-side and can hold login information, including session ID.
   3. JWT data is stored on the client-side, either in a cookie or local storage, and sent to the server with each request for
      authentication.
3. 1. Stateful technologies (like PHP, Ruby on Rails, and Django) maintain client-specific data on the server and use this data to
      process subsequent requests.
      2. Stateless technologies (like React and Vue) do not maintain any client-specific data on the server and treat each request as a
      new request.