Skip to main content
HashnodeNode.jsNode.js

Command Palette

Search for a command to run...

Sessions vs JWT vs Cookies: Understanding Authentication Approaches

Updated
6 min read
K
Kanishka Shashi

Authentication is the backbone of any secure web application. Whether you’re building a social media platform, an e-commerce store, or a SaaS product, you must answer one critical question:

How do you verify and maintain a user’s identity across requests?

This is where Sessions, JWT (JSON Web Tokens), and Cookies come into play. These are the three most commonly used approaches for handling authentication in modern web development, especially in environments like Node.js and Express.js.

In this detailed blog, we’ll break down each approach, compare them, and help you decide which one to use in real-world applications.

What is Authentication?

Authentication is the process of verifying who a user is.

Example:

  • User logs in with email/password

  • Server verifies credentials

  • Server maintains user identity for future requests

Understanding Cookies

What are Cookies?

Cookies are small pieces of data stored in the user’s browser. They are automatically sent with every HTTP request to the server.

Example:

Set-Cookie: userId=12345

How Cookies Work

  1. User logs in

  2. Server sends a cookie

  3. Browser stores it

  4. Browser sends cookie with every request

Types of Cookies

  • Session Cookies → deleted when browser closes

  • Persistent Cookies → stored for a defined time

  • HttpOnly Cookies → not accessible via JavaScript

  • Secure Cookies → sent only over HTTPS

Advantages of Cookies

  • Easy to implement

  • Automatically managed by browser

  • Works well with sessions

Disadvantages of Cookies

  • Limited storage (~4KB)

  • Vulnerable to XSS (Cross-Site Scripting)

  • Can be intercepted if not secure

Session-Based Authentication

What are Sessions?

A session is a server-side storage mechanism that keeps track of user data.

Instead of storing user info in the browser, the server stores it and assigns a session ID.

How Sessions Work

  1. User logs in

  2. Server creates session (stored in memory/database)

  3. Server sends session ID via cookie

  4. Browser sends session ID with each request

  5. Server retrieves session data

Example in Express

Using express-session:

const session = require("express-session");

app.use(session({
  secret: "mySecretKey",
  resave: false,
  saveUninitialized: true
}));

app.post("/login", (req, res) => {
  req.session.user = { id: 1, name: "Kanishka" };
  res.send("Logged in");
});

app.get("/profile", (req, res) => {
  if (req.session.user) {
    res.send(req.session.user);
  } else {
    res.send("Not logged in");
  }
});

Advantages of Sessions

  • More secure (data stored on server)

  • Easy to invalidate (logout = destroy session)

  • Works well with traditional web apps

Disadvantages of Sessions

  • Requires server memory

  • Not scalable without external storage (like Redis)

  • Slower in distributed systems

JWT (JSON Web Token) Authentication

What is JWT?

A JWT is a self-contained token that stores user information and is digitally signed.

Popular library: jsonwebtoken

Structure of JWT

A JWT has 3 parts:

Header.Payload.Signature

Example:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

How JWT Works

  1. User logs in

  2. Server generates JWT

  3. Token is sent to client

  4. Client stores token (cookie/localStorage)

  5. Client sends token with each request

  6. Server verifies token

Example in Express

const jwt = require("jsonwebtoken");

app.post("/login", (req, res) => {
  const user = { id: 1, name: "Kanishka" };

  const token = jwt.sign(user, "secretKey", { expiresIn: "1h" });

  res.json({ token });
});

app.get("/profile", (req, res) => {
  const token = req.headers.authorization;

  jwt.verify(token, "secretKey", (err, decoded) => {
    if (err) return res.send("Invalid token");
    res.send(decoded);
  });
});

Advantages of JWT

  • Stateless (no server storage needed)

  • Scalable (ideal for microservices)

  • Fast performance

  • Can be used across multiple services

Disadvantages of JWT

  • Cannot easily revoke tokens

  • Larger payload size

  • Security risks if stored improperly

Sessions vs JWT vs Cookies

Let’s compare them side by side:

Feature Sessions JWT Cookies
Storage Server-side Client-side Client-side
Scalability Low (needs shared storage) High Medium
Security High Medium (depends on storage) Medium
Performance Slower Faster Fast
Revocation Easy Difficult Depends
Use Case Traditional apps APIs, microservices Storage mechanism

Relationship Between Them

Many developers get confused, but here’s the truth:

👉 Cookies are just a storage mechanism 👉 Sessions and JWT are authentication strategies

Common combinations:

  • Session + Cookie

    • Store session ID in cookie

  • JWT + Cookie

    • Store token in HttpOnly cookie

  • JWT + LocalStorage

    • Store token in browser storage

Security Considerations

1. XSS (Cross-Site Scripting)

  • Attackers inject scripts

  • Can steal tokens from localStorage

✅ Solution:

  • Use HttpOnly cookies

2. CSRF (Cross-Site Request Forgery)

  • Exploits automatic cookie sending

✅ Solution:

  • CSRF tokens

  • SameSite cookies

3. Token Leakage

  • Avoid storing JWT in localStorage for sensitive apps

4. HTTPS Usage

Always use:

Secure; HttpOnly

When to Use What?

✅ Use Sessions When:

  • Building traditional web apps

  • You need strong security

  • Server-side rendering

✅ Use JWT When:

  • Building REST APIs

  • Microservices architecture

  • Mobile apps

✅ Use Cookies When:

  • You need automatic request handling

  • Storing session IDs or tokens

Real-World Examples

1. Banking Application

  • Uses Sessions

  • High security required

2. Social Media Platform

  • JWT for APIs

  • Cookies for browser storage

3. SaaS Dashboard

  • JWT + refresh tokens

Advanced Concepts

Refresh Tokens

Used with JWT to maintain sessions:

  • Short-lived access token

  • Long-lived refresh token

Token Rotation

  • Generate new tokens frequently

  • Improve security

Session Storage Options

  • Memory (default)

  • Redis

  • Databases

Common Mistakes

  • ❌ Storing JWT in localStorage without protection

  • ❌ Not using HTTPS

  • ❌ Ignoring token expiration

  • ❌ Not validating sessions properly

Conclusion

Authentication is not just about logging users in—it’s about maintaining trust and security throughout the user’s journey.

  • Sessions → Secure but less scalable

  • JWT → Scalable but requires careful handling

  • Cookies → Storage mechanism, not authentication itself

Choosing the right approach depends on your application type, scalability needs, and security requirements.

Final Thoughts

In modern development with Node.js and Express.js:

  • Use Sessions for simplicity and security

  • Use JWT for scalability and APIs

  • Use Cookies wisely for storage

A smart combination often works best.

#session#jwt#cookies#authentication#nodejs#node#nodejs-developer#node-js#web-development#webdev#full-stack#full-stack-development#fullstack
2 views

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

N

Node.js

16 posts