Why Authentication Exists

Authentication verifies who a user is.

Example:

• Logging into a website

• Accessing a dashboard

• Using protected APIs

After login, the server needs a way to remember the user.

This is where:

• Cookies

• Sessions

• JWTs

are used.

What Are Cookies?

Cookies are small pieces of data stored in the browser.

The browser automatically sends cookies with future requests.

Cookie Example

Cookie:
sessionId=abc123

How Cookies Work

Important Point

Cookies themselves are not authentication.

They are only a storage mechanism.

Cookies can store:

• Session IDs

• JWT tokens

• Preferences

• Theme settings

What Are Sessions?

Sessions are a server-side authentication mechanism.

After login:

1. Server creates a session

2. Session data is stored on server

3. Browser receives session ID cookie

4. Browser sends cookie on future requests

Session Authentication Flow

Example Session Data

Stored on server:

{
  sessionId: "abc123",
  userId: 15,
  role: "admin"
}

What Is JWT?

JWT stands for:

JSON Web Token

It is a stateless authentication method.

Instead of storing session data on the server:

• User data is stored inside the token

• Token is sent with requests

• Server verifies token signature

JWT Example

eyJhbGciOiJIUzI1NiIs...

JWT Authentication Flow

Where JWT Is Stored

Usually in:

• Cookies

• Local Storage

• Memory

Stateful vs Stateless Authentication

Stateful Authentication

Server stores login state.

Example:

• Sessions

Stateless Authentication

Server does not store login state.

Example:

• JWT

Visual Comparison

Session vs JWT

Real-World Usage

Sessions Are Common In

• Traditional websites

• Admin dashboards

• Server-rendered apps

• Monolith applications

Example:

• WordPress

• Laravel apps

• Rails apps

JWT Is Common In

• REST APIs

• Mobile apps

• SPA applications

• Microservices

Example:

• React frontend + Node API

• Mobile authentication

Example: Session-Based Login

User logs in
↓
Server creates session
↓
Browser gets session cookie
↓
Cookie sent automatically

Example: JWT Login

User logs in
↓
Server creates JWT
↓
Client stores token
↓
Token sent in Authorization header

JWT Authorization Header Example

Authorization: Bearer eyJhbGciOiJIUzI1Ni...

Benefits of Sessions

Benefits of JWT

Drawbacks of Sessions

Drawbacks of JWT

Common Beginner Confusion

Cookies vs Sessions

Cookies store data in browser.

Sessions store data on server.

Usually:

Cookie contains session ID

not actual session data.

JWT vs Cookies

JWT is authentication data.

Cookies are storage.

JWT can be stored inside cookies.

Common Architecture Examples

Simple Decision Guide

Important Note

Modern systems sometimes combine both:

• JWT inside secure cookies

• Session + API tokens

• Refresh token systems

Key Takeaways

There is no universally “best” authentication method.

Choice depends on:

• Application architecture

• Scalability needs

• Frontend type

• Mobile/API requirements

A junior developer should first understand:

1. Cookies store data

2. Sessions store auth state on server

3. JWT stores auth data inside token

Once these fundamentals are clear, advanced authentication systems become much easier to understand.