cookies vs jwt for auth

jwtAndCookies.md

Using session Cookie VS. JWT for Authentications

write your answers in the comments below:

• Can you explain the steps that take place when a user signs in to a website?

• Where are each of session/cookie and JWT data stored?

• Which technology is stateful and which is stateless and what is the different between both?

• What are the advantages and disadvantages of each of them in your opinion?

• Overall which one would you prefer to use and why?

Dilara Fırtına, Mohammad Sheikh Ibrahim, Mehmet Baki, Muhammed Şihebi

https://docs.google.com/document/d/1AtYA1fweX6yXjquRIfadDjP_DHn3BHyO6mUmrivwE8g/edit?usp=sharing

Rama, Abdul Hafız, Cengiz

1. Can you explain the steps that take place when a user signs in to a website?

• User logs in with his/her username and password
• Credentials are saved in session/cookie or JWT
• Cookie/session or encrypted JWT sent back to user
• Auth request is sent by the client
• This request is put into verification
• If verified, user does not need to type in his/her credentials at every request

2. Where are each of session/cookie and JWT data stored?

• Session -> on server
• Cookies -> on browser
• JWT -> tokenized and send back to the client

3. Which technology is stateful and which is stateless and what is the different between both?

JWT is stateless. No temporary data is saved locally or on the server. Session/cookie saves state; keeps temporary data on browser or server.
JSON Web Tokens (JWT) are referred to as stateless because the authorizing server needs to maintain no state

4. What are the advantages and disadvantages of each of them in your opinion?

• JWT does not have strain on memory (since it is on client side), Sessions might get bigger and take up considerable memory on server
• JWT uses only one key; when exposed one can acquire all user data
• JWT's expire at specific times, whether sessions expire with respect to user's activity
• JWTs aren’t easily revocable

5. Overall which one would you prefer to use and why?

JWT because it is common.

İrem, Hamza, Rasha
https://docs.google.com/document/d/1k5-1W1ZvB2lSIK2VCtUUC_8DlmWDRhItn1kP_Qw8blE/edit#

1)Can you explain the steps that take place when a user signs in to a website?

For Session-Based Authentication
The user logs in, the server will create a session for the user and store the session data in the server memory.
There is a session ID created which is stored in a cookie in the client’s browser while the user performs certain activity on the website. On every request that the user makes, a cookie is sent along with it.
The server can then verify the session data on the cookie with the session data stored in the server memory when the user logged in initially. When the user logs out from the website, that session data is deleted from the database and the server memory.

For Token-Based Authentication
When the user sends a request for user authentication with the login details, the server creates an encrypted token in the form of JSON Web Token (JWT) and sends it back to the client. When the client receives a token, it means that the user is authenticated to perform any activity using the client.
The JWT is stored on the client side usually in localStorage and it is sent as an unique key of that user when the user requests any data from the server or is performing any activity for that website. So, when the request is received by the server, it validates the JWT for every request that it is that particular user only and then sends the required response back to the client.

2)Where are each of session, cookie and JWT data stored?
Session: Session data is stored server-side. The default server-side session storage is MemoryStore. (server MemoryStore is a data service that provides fast in-memory storage that is accessible across servers. It offers two primitive data structures: queues and sorted maps. In comparison to a data store, a memory store provides lower latency and higher throughput in exchange for reduced durability.)

Cookie: cookies are stored in the browser.

JWT: in the user’s browser. It’s not to be stored in local storage (or session storage). If any of the third-party scripts you include in your page is compromised, it can access all your users’ tokens. To keep them secure, you should always store JWTs inside an httpOnly cookie. This is a special kind of cookie that’s only sent in HTTP requests to the server. It’s never accessible (both for reading or writing) from JavaScript running in the browser.

3)Which technology is stateful and which is stateless and what is the different between both?
Stateless Protocols are the type of network protocols in which Client send request to the server and server response back according to current state. It does not require the server to retain session information or a status about each communicating partner for multiple request.
HTTP (Hypertext Transfer Protocol), UDP (User Datagram Protocol), DNS (Domain Name System)

In Stateful Protocol If client send a request to the server then it expects some kind of response, if it does not get any response then it resend the request.
FTP (File Transfer Protocol), Telnet are the example of Stateful Protocol.

Difference
The most significant distinction between stateful and stateless is that stateless do not “save” data, whereas stateful applications do. And as a result, the server doesn’t need to preserve server information or details of its sessions, whereas this needs to be done in stateful. A stateful application’s ability to maintain its state is crucial, but any data that goes through a stateless service is often short-lived. Any linked storage is usually transient. If the container is restarted, for example, any data stored will be lost. Running a single instance of a database for testing can be a fairly simple task when it comes to stateless. However, managing the whole life cycle of a stateful app’s service can be quite difficult. Production deployment and operation are two factors that contribute to this complexity. Both of these require highly available deployment, scaling, and error handling techniques. Each stateful data service requires or supports a certain form of storage. Furthermore, identifying the type of backing storage for a stateful application is notoriously difficult. When it comes to statelessness, none of this is required.

4)What are the advantages and disadvantages of each of them in your opinion?

Advantages of Stateful
Stateful protocol keeps track of the connection information, and as a result, delivers superior performance because of continually keeping track of information.
Stateful protocols are more intuitive because they can maintain data on the server between two requests.
They can improve performance when data retrieval is required only once.
Disadvantages of Stateful
Stateful protocol requires memory allocation in order to store data.
In the event of inefficient maintenance of session storage, there can be a decrease in the performance. It requires continuous management of the service’s full lifecycle.
These protocols are highly dependent on the server-side state.
Usually, stateful protocols require backing storage.
Since the state is maintained, stateful is not very secure.
Advantages of Stateless
Since the monitoring system does not have to look beyond a single request to determine its whole nature, visibility of the protocol is improved.
It is easier to recover from partial failures like crashes since no state is maintained, which improves reliability.
The server does not have to store session state between requests, hence, scalability is enhanced as deploying the services to any number of servers is possible, and implementation is simplified even more.
It only necessitates a small number of resources because the system doesn’t need to keep track of communication over numerous lines, as well as session information.
In Stateless Protocols, each individual communication is unconnected and distinct from the ones that come before or after it.
Here, each packet of data travels on its own. There is no need to refer to another packet in these packets.
Disadvantages of Stateless
It may be essential to include additional information in each request, and as a result, the server will need to interpret this new information.
They may degrade network performance by increasing the amount of repetitive data delivered in a series of requests, which cannot be saved and reused.
They are inherently less capable as they do not store information about a particular user session.

5)Overall which one would you prefer to use and why?
In most cases, stateless is a better option when compared with stateful. However, in the end, it all comes down to your requirements. If you only require information in a transient, rapid, and temporary manner, stateless is the way to go. Stateful, on the other hand, might be the way to go if your app requires more memory of what happens from one session to the next.

Emine Çığ, Sobhan Shams, Hala Alkhellow

https://docs.google.com/document/d/1fcJxrpI_jA_7zmXPkmdx9AjToMjZlfZoanSk8G2L7mQ/edit#

Team: Lara - Nilay - Melek - Amjad

1)Can you explain the steps that take place when a user signs in to a website?

For Session-Based Authentication
The user logs in, the server will create a session for the user and store the session data in the server memory.
There is a session ID created which is stored in a cookie in the client’s browser while the user performs certain activity on the website. On every request that the user makes, a cookie is sent along with it.
The server can then verify the session data on the cookie with the session data stored in the server memory when the user logged in initially. When the user logs out from the website, that session data is deleted from the database and the server memory.

For Token-Based Authentication
When the user sends a request for user authentication with the login details, the server creates an encrypted token in the form of JSON Web Token (JWT) and sends it back to the client. When the client receives a token, it means that the user is authenticated to perform any activity using the client.
The JWT is stored on the client side usually in localStorage and it is sent as an unique key of that user when the user requests any data from the server or is performing any activity for that website. So, when the request is received by the server, it validates the JWT for every request that it is that particular user only and then sends the required response back to the client.

2)Where are each of session, cookie and JWT data stored?

Session: Session data is stored server-side. The default server-side session storage is MemoryStore. (server MemoryStore is a data service that provides fast in-memory storage that is accessible across servers. It offers two primitive data structures: queues and sorted maps. In comparison to a data store, a memory store provides lower latency and higher throughput in exchange for reduced durability.)

Cookie: cookies are stored in the browser.

JWT: in the user’s browser. It’s not to be stored in local storage (or session storage). If any of the third-party scripts you include in your page is compromised, it can access all your users’ tokens. To keep them secure, you should always store JWTs inside an httpOnly cookie. This is a special kind of cookie that’s only sent in HTTP requests to the server. It’s never accessible (both for reading or writing) from JavaScript running in the browser.

3)Which technology is stateful and which is stateless and what is the different between both?

Stateless Protocols are the type of network protocols in which Client send request to the server and server response back according to current state. It does not require the server to retain session information or a status about each communicating partner for multiple request.
HTTP (Hypertext Transfer Protocol), UDP (User Datagram Protocol), DNS (Domain Name System)

In Stateful Protocol If client send a request to the server then it expects some kind of response, if it does not get any response then it resend the request.
FTP (File Transfer Protocol), Telnet are the example of Stateful Protocol.

Difference
The most significant distinction between stateful and stateless is that stateless do not “save” data, whereas stateful applications do. And as a result, the server doesn’t need to preserve server information or details of its sessions, whereas this needs to be done in stateful. A stateful application’s ability to maintain its state is crucial, but any data that goes through a stateless service is often short-lived. Any linked storage is usually transient. If the container is restarted, for example, any data stored will be lost. Running a single instance of a database for testing can be a fairly simple task when it comes to stateless. However, managing the whole life cycle of a stateful app’s service can be quite difficult. Production deployment and operation are two factors that contribute to this complexity. Both of these require highly available deployment, scaling, and error handling techniques. Each stateful data service requires or supports a certain form of storage. Furthermore, identifying the type of backing storage for a stateful application is notoriously difficult. When it comes to statelessness, none of this is required.

4)What are the advantages and disadvantages of each of them in your opinion?

Advantages of Stateful
Stateful protocol keeps track of the connection information, and as a result, delivers superior performance because of continually keeping track of information.
Stateful protocols are more intuitive because they can maintain data on the server between two requests.
They can improve performance when data retrieval is required only once.

Disadvantages of Stateful
Stateful protocol requires memory allocation in order to store data.
In the event of inefficient maintenance of session storage, there can be a decrease in the performance. It requires continuous management of the service’s full lifecycle.
These protocols are highly dependent on the server-side state.
Usually, stateful protocols require backing storage.
Since the state is maintained, stateful is not very secure.

Advantages of Stateless
Since the monitoring system does not have to look beyond a single request to determine its whole nature, visibility of the protocol is improved.
It is easier to recover from partial failures like crashes since no state is maintained, which improves reliability.
The server does not have to store session state between requests, hence, scalability is enhanced as deploying the services to any number of servers is possible, and implementation is simplified even more.
It only necessitates a small number of resources because the system doesn’t need to keep track of communication over numerous lines, as well as session information.
In Stateless Protocols, each individual communication is unconnected and distinct from the ones that come before or after it.
Here, each packet of data travels on its own. There is no need to refer to another packet in these packets.

Disadvantages of Stateless
It may be essential to include additional information in each request, and as a result, the server will need to interpret this new information.
They may degrade network performance by increasing the amount of repetitive data delivered in a series of requests, which cannot be saved and reused.
They are inherently less capable as they do not store information about a particular user session.

5)Overall which one would you prefer to use and why?

In most cases, stateless is a better option when compared with stateful. However, in the end, it all comes down to your requirements. If you only require information in a transient, rapid, and temporary manner, stateless is the way to go. Stateful, on the other hand, might be the way to go if your app requires more memory of what happens from one session to the next.

Noor Awied, Huzeyfe AbdullahOglu, Israa Qaba

Can you explain the steps that take place when a user signs in to a website?

  A user reaches a login page on a website they have previously created an account with.
  The user information request is sent 
  The user provides their unique ID and key to verify their identity.
  The login credentials are compared against the originals stored in the website’s server.
  If they match, the user is authenticated and provided access to their account.

Where are each of session/cookie and JWT data stored?
Session is stored in server memory
Jwt is stored in the browser with a secret key

Which technology is stateful and which is stateless and what is the different between both?
Stateful: session
​​​​After successful authentication, the application generates a random token to send back to the client then creates a client authenticated session in memory or an internal database
Stateless: JWT
After successful authentication, the application generates token with all necessary data, signs it with a public key and sends it back to a client. There is a standard for token generation, it is JWT (JSON Web Token). The process described in OpenID Connect (OIDC) specification

What are the advantages and disadvantages of each of them in your opinion?
Cookies
Jwt is better in terms of scaling , because session can cause problems when lots of users are accessing the server at once since they are stored in the server memory
Security:
Jwt can be decoded even though they are semi-secure and no sensitive information should be included in them.

Overall which one would you prefer to use and why?

Session cookies take up very little bandwidth, whereas the bandwidth consumption will be higher in the JWT-based approach however, jwt is stateless and are not restricted to present session-like information about the authenticated user itself

resource:
https://hackernoon.com/using-session-cookies-vs-jwt-for-authentication-sd2v3vci
https://www.openidentityplatform.org/blog/stateless-vs-stateful-authentication
https://stackoverflow.com/questions/27666810/json-web-token-jwt-advantages-disadvantages-over-cookies

Sara Hamoud, Adnan Khaldar, Yaman Rajab

Can you explain the steps that take place when a user signs in to a website.

• The users enters their credentials (information) on the website’s login form.
• The credentials is then sent to the authentication server with hashing the password section.
• In case credentials matches the pair registered (the username and the password) the system will authenticate the users and grant them access to their accounts.
• In case of no match, the users will get an error message or prompt, asking them to check their info and try again.

Where are each of session/cookie and JWT data stored?

• Session’s cookies are stored in the client side containing session ID, and the session, itself, is stored on the server side.
• JSON Web Tokens are stored in the client side.

Which technology is stateful and which is stateless, and what is the difference between both?

HTTP, DNS, and UDP use stateless protocol.

• does not require the server to retain the server information or session details,
• there is no tight dependency between server and client,
• are easy to implement in Internet.

FTP (File Transfer Protocol), and Telnet use stateful protocol.

• requires server to save the status and session information.
• there is tight dependency between server and client
• are logically heavy to implement in Internet.

What are the advantages and disadvantages of each of them in your opinion?

Stateless:

Advantages:

• Does not require the server to retain information about the state.
• Server design, implementation and architecture is simple.
• Handles crashes well, as we can fail over to a completely new server, and servers are regarded cheap commodity machines
• Scaling architecture is easy.

Disadvantages:

• They may decrease network performance by increasing the repetitive data sent in a series of requests.

Stateful :

Advantages:

• Stateful Protocols provide better performance to the client by keeping track of the connection information.

Disadvantages

• Requires server to save information about a session.
• Server design, implementation and architecture is complicated.
• Does not handle crashes well.
• Servers are considered pricey but long living.
• The user would probably be logged out and have to start from the beginning.
• Scaling architecture is difficult and complex.

Overall which one would you prefer to use and why?

Regarding the advantages of stateless and the disadvantages of stateful protocol, I would choose the stateless protocol.