Auth

auth.md

Using session Cookie VS. JWT for Authentications

• Can you explain the steps that take place when a user signs in to a website?

• Where are each of session/cookie and JWT data stored?

• Which technology is stateful and which is stateless and what is the different between both?

• What are the advantages and disadvantages of each of them in your opinion?

• Overall which one would you prefer to use and why?

Room 5: Muna Al Haj Eid, Ramz Alzer, Mohammed Elamariah, Wajd

1. a. Access the website.
   b. Locate the sign-in page.
   c. Enter login credentials.
   d. Authenticate credentials.
   e. Redirect to user account.

2. • Session data is stored on the server-side.
   • Cookie data is stored on the client-side.
   • JWT data can be stored on either the client-side or the server-side.

3. Stateful and stateless are two terms used to describe the nature of a system or application. A stateful system maintains information about the current state of a user’s interactions, while a stateless system treats each request as an independent, isolated transaction
   The main difference between stateful and stateless technologies is that stateful technologies maintain information about the current state of a user’s interactions, while stateless technologies treat each request as an independent, isolated transaction. Stateful technologies can provide better performance and reliability, but they can also be more complex and difficult to scale. Stateless technologies are simpler and easier to scale, but they may not be suitable for applications that require persistent state information.

4. Stateful

Advantages:

• Stateful protocols can deliver better performance because they store information that helps future transactions
• Stateful architecture has an excellent extra security layer, making it very popular in the banking and finance sector for online transactions
• Stateful protocols are intuitive due to their ‘memory’
  Disadvantages:
• Memory must be included as part of the server architecture for data storage.
• The server bears a considerable burden on the functionality of the entire application, so stateful applications need an intricate server.
• Performance is partly dependent on the efficiency of the network memory. [This means continuous management throughout the time the service is being offered
  Stateless
  Advantages:
• Stateless applications can be less costly than a similar stateful application
• Stateless applications can be less complex, as there’s no requirement to take in data and keep it on hand, to record it for use later
• Stateless applications are generally easier to manage than stateful applications, which can quickly become heavy with overhead memory requirements.
  Disadvantages:
• Stateless applications may require more network traffic, as each request must contain all the information necessary to complete the transaction
• Stateless applications may require more processing power, as each request must be processed independently
• Stateless applications may not be suitable for applications that require persistent state information

5. Stateful technologies are better suited for applications that require persistent state information, such as online banking and email, while stateless technologies are better suited for applications that require scalability and fault tolerance, such as cloud computing and microservices.
   Use Session Cookies for:
   Simpler, server-side rendered applications with a monolithic architecture.
   Use JWTs for:
   Stateless, distributed systems or microservices, and when scalability is a priority.

Farah, Baraa, Musab, Gorgees
Q1:
User starts sign-in: The user goes to the sign-in page and enters their username/email and password.

Credentials sent: Clicking "Sign In" sends this info to the server.

Server checks credentials: The server verifies the entered details against stored user data.

Authentication: If details match, the server creates a session, giving the user a unique token or cookie.

Session starts: This token is stored on the user's device and used to identify them in future interactions.

Access granted: The user is redirected to the main content, with access to authenticated features.

Session management: The website tracks the user's actions while signed in.

Sign-out or expiration: Logging out or inactivity ends the session by invalidating the token.

Q2:
Session/Cookie Data:

Stored on Server: Information about the user's session is kept on the server.
Stored on Client: A small piece of data (cookie) is sent to and stored on the user's device, helping the server recognize the user in subsequent interactions.
JWT Data:

Contained in Token: All needed information (claims) is packed into a token.
Stored on Client: The token is sent to and stored on the user's device, then included in future requests to the server.

Q3:
Stateless: No storage between requests (e.g., HTTP).
Stateful: maintains user state (e.g., TCP).
Differences:
Data: Stateless has none, stateful retains.
Scalability: Stateless is more scalable.
Complexity: Stateless is simpler.
Examples: Stateless uses HTTP, stateful uses TCP.
Choose based on needs: stateless for simplicity, stateful for context retention.

Q4:
Advantages: Scalable, Simple.
Disadvantages: No context, Increased overhead.
Stateful:

Advantages: Context retention, Efficiency.
Disadvantages: Complex, Scalability challenges.

Q5:
It depends on the specific requirements of the application. For simplicity and scalability, I'd prefer stateless. However, for applications requiring context retention and efficiency, I might opt for stateful

Room #1: Lunar Salameh, Jafar Bino, Dana Omar, Hala Qitouqa, Dana Omar, Mo'mena Salloum.

Q1: Can you explain the steps that take place when a user signs in to a website?

1. A user reaches a login page on a website they have previously created an account with.
2. The user provides their unique ID and key to verify their identity.
3. The login credentials are compared against the originals stored in the website’s server.
4. If they match, the user is authenticated and provided access to their account.

---

Q2: Where are each of session/cookie and JWT data stored?

• Session cookies are stored on client-side computer memory temporarily and never on the disk. Session cookies expire when the user closes the browser.

• JWT is stored on client-side, it can be stored in LocalStorage or in http only cookies.

---

Q3: Which technology is stateful and which is stateless and what is the different between both?

1. Session Cookies:

Session Cookies are STATEFUL because the server keeps track of the user's session on the server side.

1. JWT ( JSON Web Tokens):

JWT's are STATELESS because all the information needed for authentication is contained within the token itself, so the server does not need to store any session information.

Differences:

1. Both session cookies and JWTs can be secure if implemented correctly. However, the security of JWTs depends heavily on proper implementation and the use of secure algorithms for signing.

2. Session cookies require server-side storage, while JWTs are typically self-contained and do not require server-side storage for session information.

3. Session cookies usually have a session timeout, while JWTs include an expiration claim.

---

Q4: What are the advantages and disadvantages of each of them in your opinion?

- Session Cookie Authentication:

Advantages:

• Server Control: The server has complete control over the session and can invalidate any session at any time, which can be useful for handling logout functionality or session expiration.

• Mature Ecosystem: Traditional session management is well-understood, and many web frameworks come with built-in support for session handling.

• HTTPOnly Cookies: Storing session IDs in HTTPOnly cookies can help mitigate the risk of client-side script accessing the data, thus reducing the risk of cross-site scripting (XSS) attacks.

• Simplicity: For developers, working with sessions can be straightforward because the complexity of handling the session data is managed server-side.

Disadvantages:

• Scalability: Sessions can be difficult to scale in distributed systems because session data must be shared across multiple servers or must be re-created with each server instance.

• Resource Intensive: Each session consumes server memory, which can become a problem with a large number of users.

• Cross-Domain Restrictions: Cookies are typically restricted to the domain they're set from, which can complicate architectures that involve multiple domains or services.

- JWT (JSON Web Tokens) Authentication:

Advantages:

• Scalability: JWTs are stateless, meaning the server does not need to keep a record of tokens, which can reduce server load and improve performance in large-scale systems.

• Cross-Domain/Service Authentication: JWTs can be used across different domains and services, making them a good choice for microservices architectures and single sign-on (SSO) systems.

• Flexibility: Tokens can contain custom claims (data), which can include user roles, permissions, and other metadata, allowing for fine-grained access control.

• Mobile Friendly: JWTs are well-suited for mobile API authentication since they do not rely on cookies, which mobile platforms handle differently.

Disadvantages:

• Storage and XSS: Because JWTs are typically stored in local storage for easy access from JavaScript, they can be susceptible to XSS attacks if the application has a vulnerability that allows executing malicious JavaScript.

• Token Revocation: There's no simple way to revoke a JWT. Once issued, a JWT is valid until it expires, unless additional infrastructure is implemented to check a token revocation list.

• Statelessness: While often an advantage, the statelessness of JWTs can also be a drawback. If you need to change a JWT's data, you cannot do so without issuing a new token.

• Complexity: Implementing JWT authentication can be complex, particularly when it comes to handling token expiration and renewal securely.

---

Q5: Overall which one would you prefer to use and why?

• Session cookies are typically used in server-side applications, where the server maintains a session for each user and stores their authentication information in a cookie. This approach is simple and easy to implement, but it can be less secure.

• JWTs are self-contained tokens that contain all the necessary information for authentication, including the user's identity and any additional claims. JWTs are typically used in stateless applications, where the server does not maintain a session for each user.

team members : Raneem , Reem , Malak , Belal.

Q1 :

When a user signs in to a website, there are typically a few steps that take place:

• The user enters their username and password in the login form on the website.
• The website takes these credentials and sends them to the server for verification.
• The server receives the credentials and checks if they match with any registered users in the database.
• If the credentials are valid and match with an existing user, the server generates a session ID or token.
• The server sends the session ID or token back to the user's browser as a response.
• The user's browser then stores this session ID or token (usually in a cookie or local storage) to maintain the user's logged-in state.
  With each subsequent request, the browser sends this session ID or token to the server to prove that the user is authenticated.
• The server then verifies the session ID or token, allowing the user to access their account and perform authorized actions.

Q2 :

When using sessions in web development, the server creates a unique session ID for each user and stores this ID on the server. The session data associated with the session ID is also stored on the server. The session ID is then sent to the client as a cookie, which is stored in the user's browser. Subsequent requests from the client will include the session ID as part of the cookie, allowing the server to retrieve the corresponding session data.
On the other hand, JWT is a self-contained token that carries information in the form of JSON (JSON Web Token) about the user, typically including their identity and other relevant data. JWT is generated by the server and then sent to the client, where it is typically stored in local storage or a cookie. Whenever the client makes subsequent requests to the server, the JWT is included in the request headers to authenticate and authorize the user.
In summary, session and cookie data are stored on the server side, while JWT data is stored on the client side.

Q3:

JWTs are typically stateless, self-contained tokens used in authentication, offering scalability and fitting well in distributed systems and microservices. Cookies can be either stateful, maintaining user sessions by storing session IDs, or stateless, containing all necessary user information like JWTs. Stateless JWTs are more scalable due to minimal server memory use, whereas stateful cookies are preferred for applications requiring consistent user state management. The choice between JWTs and cookies depends on the specific requirements for state management and scalability in web applications.

Q4:

session Cookie:

Advantages:

1-Precision logout i.e. as soon as sessionId is removed from the DB logout occurs.
2-Battle-tested 20+ years in many languages and frameworks.

Disadvantages:

1. This approach affects overall response time because the call to DB is slower and should be repeated for every request sent by the client.
   2-Stateful: Session cookies introduce server-side state, making the application less scalable in a distributed environment. Load balancing becomes more complex when server state needs to be shared or synchronized.

JWT(JSON Web Token):

Advantages:
1-Without sessionStore the same token is used to authenticate on different server as well, as long as the server have the SECRET key.
2-As it doesn't involve DB call to get the session info its much faster than the traditional approach.

Disadvantages:
1-Since JWT is self-contained and will continue to work until it expires. So even if logout happens if someone gets the token they can still able to log in with that and get the user info. To avoid this server need to maintain a blacklist of revoked tokens which defeats the purpose of stateless tokens.
2-Anyone able to perform a man-in-middle attack and sniff the JWT and authenticate the individual credentials because JWT is rarely encrypted.
3-In many real world applications, we may need to store a ton of different information. And storing it in the JWT tokens could exceed the allowed URL length or cookie lengths causing problems. And also we are now sending large volume of data on every request which will cause the network overhead and server may take slightly more time to decode and verify.

Q5:

Both cookies and JWT (JSON Web Tokens) are commonly used for authentication and session management in web applications. Cookies are widely supported by browsers and are easy to implement.
On the other hand, JWT is an open standard for securely transmitting information between parties as a JSON object.
In summary, cookies are simpler to implement and widely supported, making them a good choice for many applications. JWTs offer more flexibility and scalability, especially when building distributed systems.

team : Farah, Feda, Jana,Lina
Q1: Using Session Cookie:

1-User initiates sign-in: The user submits their credentials through a form on the website.
2-Server-side validation: The server validates the user's credentials against the stored data and, upon successful validation, creates a session on the server side. The server then generates a session identifier.
3-Session creation and storage: The session identifier is stored in a session store, and a corresponding session cookie containing the session identifier is sent to the user's browser.
4-Subsequent requests: The user's browser automatically includes the session cookie in subsequent requests to the website. The server uses the session identifier in the cookie to retrieve the user's session data and validate their authentication status for each request.

Using JSON Web Token (JWT):

1-User initiates sign-in: The user submits their credentials through a form on the website.
2-Server-side validation: The server validates the user's credentials against the stored data and, upon successful validation, generates a JWT.
JWT issuance: The JWT is then sent back to the user's browser.
3-Subsequent requests: The user's browser includes the JWT in the request headers for subsequent requests to the website. The server verifies the authenticity and validity of the JWT to authenticate the user.

Q2-session/cookie data is typically stored in the user's browser within the cookie storage.
JWT data is stored in the user's browser within local storage or in memory, as the JWT itself contains user and session information in an encoded format and is sent with each request to the server.

Q3-Feature Session Cookies JWTs
Statefulness Stateful Stateless
Data storage Server-side Client-side (within the token)
A stateless system sends a request to the server and relays the response (or the state) back without storing any information. On the other hand, stateful systems expect a response, track information, and resend the request if no response is received.

Q4- JWT advantage: 1- JWT is a stateless authentication technique based on tokens. 2-it's a client-side stateless session, the server doesn't need to rely on a datastore (database) to keep session data. 3- Security as they Encryption is used to keep data private and needs a key (which must be kept a secret) to decrypt it.

Cookies:Advantages:
Automatic Handling: Cookies are automatically sent by the browser with each HTTP request, simplifying the process of managing user sessions.
Security Features: Cookies support security features like the HTTP-only and Secure flags.
Server-Side Storage: Session data is stored on the server, providing a centralized and controlled location for user state.

Q4- part 2
Dis advantage for JWT : , Security Challenges. Using the same private key for different applications
Token Size: JWTs can be larger in size compared to simple session identifiers stored in cookies and Storage Complexity

Cookies Dis advantage : Server Load: Requires server-side storage and management of session states for each user, leading to potential scalability challenges.
Scalability: Scaling session/cookie-based authentication across multiple servers or in a distributed environment can be complex.

Q5-It depends but the choice between session/cookie-based authentication and JWT-based authentication should be based on the specific requirements of the web application. JWT-based authentication is favored for its stateless, scalable, and decoupled nature, while session/cookie-based authentication offers simplicity and control over session variables.

session-based approaches are more appropriate for applications that priorities server-side control, robust session management, and sensitive data protection.

The decision should consider the application's needs, security considerations, and the ability to implement and maintain the necessary security measures for either approach.

Room 2
Team Names : Hammam Abu Shehadeh / Abedalrhman / Mohmoud Rumaneh / Mohammad Abdullah / Ahmed Shalash
Q1)

1.The user submits their credentials (username/password)(A user reaches a login page on a website they have previously created an account with. )

2.The server verifies the credentials are correct.(The user provides their unique ID and key to verify their identity.)

3.The server generates an identifier to track the user's session.(The login credentials are compared against the originals stored in the website’s server.)

4.That identifier is sent back to the client/browser and stored as a cookie or in local storage for JWT.(If they match, the user is authenticated and provided access to their account.)

---

Q2) Session cookie data is stored on the server in the user's session ID. sent to the client as a reference .While JWT data is stored client-side, usually in local storage.

---

Q3)

Session cookies are stateful, while JWTs are stateless.

Stateful means the server needs to store session data linking session IDs to user accounts. It tracks each user's login status on the server.

Stateless means no session data is stored on the server. The JWT token passed to the client contains all the necessary user information inside it rather than looking it up in the server's session data. The server does not keep track of login state.

So in summary:

Session Cookies:
Stateful - Server stores session data
Server tracks login state
JWT:

Stateless - No session data on server
Token contains user data
Server doesn't track login state
Stateless is considered more scalable since session data does not need to be accessed from the server from everything authenticated request. It also works better from systems with multiple separated severs

---

Q4)
Advantages:
Sessions:

• Server-Side Storage: Sessions are typically stored on the server, which means sensitive data can be kept more securely compared to client-side storage mechanisms.
• Persistence: Session data can persist across multiple requests, allowing for the retention of user-specific information throughout a user's interaction with a website.
• Scalability: Server-side storage allows for better scalability as session data is stored centrally, making it easier to manage and scale the application horizontally.

Cookies:

• Client-Side Storage: Cookies are stored on the client side, reducing the load on the server and potentially improving performance.
• Flexibility: Cookies are versatile and can store various types of data, including user preferences and tracking information.
• Ease of Use: Implementing cookies is relatively straightforward, and many programming languages provide built-in support for handling cookies.

Disadvantages:
Sessions

• Server Load: Sessions may introduce additional load on the server, especially if the session data is extensive or if the server needs to handle a large number of concurrent users.
• Resource Consumption: Storing sessions on the server consumes server resources. If not managed properly, it can impact the overall performance of the server.
• Complexity: Implementing session management may add complexity to the application, and developers need to ensure proper handling of session data, including expiration and cleanup.

Cookies

• Security Concerns: Cookies can be susceptible to security issues such as cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks if not properly secured.
• Limited Storage: Cookies have size limitations, and browsers may limit the number of cookies that can be stored per domain. This can be a constraint when trying to store large amounts of data.
• Privacy Concerns: Cookies can be used for tracking user behavior, which can raise privacy concerns. Many users are now more conscious about online privacy and may choose to disable or clear cookies.

Session cookies store session data on the server and track login state easy to use and invalidate logins, but this server storage and session lookup makes them harder to scale. JWT tokens encode user data into the token itself statelessly, removing the need for server session storage and lookup for better scalability. But JWT tokens can't be revoked easily, only invalidated after expiration time. In summary, session cookies offer an easy traditional approach with the server managing state, while JWT tokens excel in stateless environments where scalability and decentralization matter more than easy session revocation.

---

Q5)
I prefer using JWT authentication over sessions cookies in most cases because JWT tokens allow stateless, scalable user authentication across domains and servers. They fit nicely into modern applications with decoupled front-end and back-end, while avoiding the need for server session storage and look-ups required by cookies. JWT implementation may take more work up-front, but pays off when scaling.

Room 6 1.Nour kayyali 2. Noor Alrai 3.Hasan Mohammad 3.omar

1. 1. User Interaction: Users enter their username (or email address) and password into the designated fields on the login form, then click login
      2.Server-side Processing:
      Authentication: The server receives the user's credentials and compares them to the stored data (usually in a database) for matching usernames and passwords.
      Authorization: If the credentials match, the server authorizes access by generating a session token or cookie.
      Redirection: Upon successful login, the user is redirected to their account dashboard, homepage, or the page they were originally trying to access.

2.Session/Cookie:

--Server-side:
Session ID: A unique identifier for the user's session is typically stored in a database or memory on the server.
Session data: Associated user information (e.g., user ID, preferences) might be stored alongside the session ID on the server.
--Client-side:
Session cookie: The session ID is sent to the user's browser and stored in a cookie. This cookie is automatically sent back to the server with subsequent requests, allowing the server to associate the user with their session data.
JWTs (JSON Web Token): Entirely client-side:
Browser storage: The JWT itself is typically stored in the browser's local storage or session storage.
HttpOnly cookie (recommended): For enhanced security, it's recommended to store JWTs in an HttpOnly cookie

3. Stateful applications retain data between sessions, but stateless applications don't. For example, stateful applications remember products in a user's cart after logging out, while stateless applications treat every login as a new session and cart information is lost. Self-contained stateless apps scale well

4. Stateless (JWT):
   Advantages : The JWT is a self contained token which has authetication information, expire time information, and other user defined claims digitally signed.

Portable: A single token can be used with multiple backends.

No Cookies Required, So It's Very Mobile Friendly

Good Performance: It reduces the network round trip time.

Decoupled/Decentralized: The token can be generated anywhere. Authentication can happen on the resource server, or easily separated into its own server.
Disadvantages

Since JWT tokens cannot be “invalidated” (without maintaining them in a shared db), in JWT approach the logout length precision is set by the expiration length of the access_token. However the “access_token” lifespan can be kept short (typically 10 to 15 mins), so that tokens are automatically “invalidated” after the duration.
Anti-pattern: Sometimes additional and unnecessary information is stored in the JWT. The JWT token should primarily contain user information, and the data authorized to be accessed by that user should be provisioned and managed as a separate service on that respective server.

Stateful (Session/cookie)
Advantages

On logout, since the sessionId is removed from the database, we have a precision logout i.e. logout occurs at the moment the sessionId is removed from the sessionDB

Disadvantages

Needs an additional DB lookup within the sessionId table to get the userId, DB look ups are relatively slower than JWT decrypting action.
Individual servers cannot be scaled separately since they would need to share the sessionDB.

5. While there may never be a clear consensus on which method is superior, the good news is that Stytch provides both options, with the ability to configure the perfect blend of latency vs security for your particular use case. Stytch is a modern authentication and fraud platform that lets you abstract over complexity and enables developers to choose what works for them. This choice includes the ability to switch between JWTs and session cookies as needed.

room 7: hassan AbuGareeb, banan Alafouri, Osama daoud, Ramah madi
Q1:

• Cookie-Based Authentication:

1. The user enters their username and password on the website.
2. Server validation : The server checks the entered credentials against its database to verify the user.
3. Create Session: If credentials are valid, the server creates a session on the server-side and generates a unique session ID.
4. Set Cookie: The server sends a response to the client with a Set-Cookie header containing the session ID. The browser stores this cookie.
5. e. Subsequent Requests: For subsequent requests, the browser automatically includes the cookie in the request header, allowing the server to identify the user.

• JWT-Based Authentication:
  a. User submits credentials: Similar to the cookie-based approach, the user provides their username and password.
  b. Server verifies credentials: The server validates the user's credentials against the stored data.
  c. Generate JWT: If the credentials are valid, the server creates a JWT containing a payload with user information and a signature.
  d. Send JWT to the client: The server sends the JWT to the client as part of the response body or header.
  e. Subsequent Requests: The client includes the JWT in the Authorization header for subsequent requests. The server verifies the token's signature to authenticate the user.

---

Q2:
Session/Cookie-Based Authentication:

• Session Data: Stored on the server.
• Cookie Data: Stored on the client side. The browser holds the cookie containing the session ID

JWT-Based Authentication:

• JWT Data: Stored on the client side.

---

Q3: Stateful applications retain data between sessions, but stateless applications don’t. For example, stateful applications remember products in a user’s cart after logging out, while stateless applications treat every login as a new session and cart information is lost.

Q4:
-Session cookies:
advs:
1-User Friendly: the user can usually ,The client can choose what they need to do with cookies. All the browsers come with settings to clear history including the cookies
2- Availability: Cookies can also set to be made available for a longer period of time. Once the cookies are stored on the user's hard drive, it will be available as long as the user deletes them manually.
3-Occupies less memory
4- Cookies can store any type of data, including text, numbers, and even images.
disAdvs:
1-Security Risks: since they're stored on the user's hard-drive, an intruder can access these files and read the data inside.
2-Size Limitations :they cannot store large amount of information. Most cookies are able to store information only up to 4kb,
some browsers also have limitations on the number of cookies per website.
3-Manual Disabling: Browsers also comes with the option to disable cookies
4- privacy concerns: cookies stores all the website that the users visits, this information can be accessed by any third parties including government agencies and businesses or advertisers.
-JWT :
advs:
1-Easy to use: One of the main reasons why developers love using JWT is its ease of use and simplicity
2-Tokens Offer Robust Security: Since tokens like JWT are stateless, only a secret key can validate it when received at a server-side application, which was used to create it.
3-Token-based Authentication is more Scalable and Efficient
disAdvs:
1-Compromised Secret Key: One of the major cons of relying on tokens is that it relies on just one key.
2- Server cannot identify clients: Once the token is issued, the server has no idea whether the client is active or not. It is only when they ask for a refreshed token that the server actually gets to know their status.
3-Data Overhead
The overall size of a JWT is quite more than that of a normal session token, which makes it longer whenever more data is added to it
4-horter Lifespan
Short-lived JWT are harder for users to work with. These tokens require frequent reauthorization

Q-5 I would prefer stateless cuz stateless protocol design simplify the server design. The Stateful protocol design makes the design of server very complex and heavy. Stateless Protocols works better at the time of crash because there is no state that must be restored.

✨ Team members: Najwan Shawareb, Sanad Alshobaki, Rinad AQ., Dana AlSiddig ✨

Q1. They enter their credentials (username/email, password). The client sends this info to the server securely. The server validates the credentials. If valid, the server creates a session, generates a token, and sends it back to the client. The client stores the token and uses it for future requests. The user is redirected to a signed-in page. Throughout the session, the server manages authentication and tracks user activity.

Q2.
Client-Side:
Session Cookies: Stored in the user's browser's cookie storage.
JWTs: Typically stored in browser storage (e.g., localStorage).

Server-Side:
Session Data: Stored on the server.
JWTs: Not stored on the server; validated using a secret or public key.

Q3.
Stateful:
Example: Traditional web applications with server-side sessions.
Characteristics: Server maintains client state; requests depend on server-stored data.

Stateless:
Example: RESTful APIs, Token-based Authentication (e.g., JWT).
Characteristics: Each request is independent; server doesn't store client state.

Q4.
Advantages:

1. More scalable.
2. Simpler design.
3. Flexible distribution.

Disadvantages:

1. Challenging session management.
2. Limited functionality for complex workflows.
3. Increased payload size.

Considerations:

• Choose stateful for continuous sessions.
• Choose stateless for scalability.
• Modern applications often use a combination.

Q5.
The preference between stateful and stateless architectures depends on the specific needs of the application:

Stateful:

1. Prefer for continuous user sessions and complex workflows.
2. Provides a seamless user experience and supports rich functionality.

Stateless:

1. Prefer for scalability and decoupled services.
2. Offers simplicity, scalability, and is suitable for microservices architectures.

Considerations:

• Hybrid approaches are common, combining stateful and stateless components.
• Choose based on the unique requirements of the application, balancing user experience and scalability.

Mohamad Sheikh Alshabab, Mohamad ms, Ahmad Jouma

q1 -
1- A user reaches a login page on a website they have previously created an account with.
2- The user provides their unique ID and key to verify their identity.
3- The login credentials are compared against the originals stored in the website’s server.
4- If they match, the user is authenticated and provided access to their account.

---

q2-

• Session: is stored on the server.
• Cookie: is stored on the client-side.
• JWT: can stored on the client-side or the server.

---

q3-

• Session Cookies: STATEFUL

• JWT ( JSON Web Tokens): STATELESS

• Stateless is more scalable, simpler and doesn't store the data, while STATEFUL is the opposite.

---

q4-

• Sessions: Sessions rely on server-side storage and are inherently stateful, which can be a drawback in modern microservices and distributed systems.
• JWT: JWTs are stateless, which can be advantageous for scalability but challenging for scenarios requiring centralized session management.

---

q5- we prefer JWT for simplicity and scalability.

Team Members : Abdullah Alawad , Lujain Mansour, Lin

Q.1 1- on the login page using POST request (form submission), the server extracts the entered username and password from the form data.
2- User Authentication:
The server checks if the entered username exists in the user database.
If the username is found, it compares the hashed version of the entered password with the stored hashed password for that user.

3-Session Creation:
If the authentication is successful, a session is created. In this example, the username is stored in the session using session object.

4-Redirect to for example: Dashboard (the selected page to redirect after logging in):
The user is then redirected to the /dashboard route.

5-Dashbord Route (/dashboard) and check Authentication:
The /dashboard route is defined to display the user's dashboard and it will check if the user is authenticated by verifying the presence of the 'username' in the session.

6-Display Dashboard or Redirect:
If authenticated, the server displays a welcome message on the dashboard. If not authenticated, the user is redirected back to the login page.

Q.2) Session and Cookie Data: Stored on the client side.
JWT Data (JSON Web Token) :
Primarily stored on the client side, but can also be stored on the server side. Session and cookie data are often used in traditional web applications; JWTs have become popular in modern.

Q.3) Stateful and stateless are terms often used to describe the behavior of computer systems, applications, or protocols.
Stateful technologies: A stateful system retains information about the current state of a user's interactions or the overall system's status it is like TCP, keeps tracking and stores past interactions and maintaining a state.
Stateless technologies: stateless system does not store information about the state of a user's interactions or the overall system's status between requests it is like HTTP, treat each request independently without remembering past states. Stateful can offer context but may be resource-intensive, while stateless is simpler and more scalable but lacks context between interactions.

Q.4 Advantages of Stateful Systems:
Can offer a more user-friendly and personalized experience.
Simplifies certain aspects of application development.

Disadvantages of Stateful Systems:
Increased server overhead and potential scalability issues.
Dependency on server-side storage, which can be a single point of failure.

Advantages of Stateless Systems:
Improved scalability and performance due to reduced server-side storage requirements.
Easier to distribute requests across multiple servers (load balancing).

Disadvantages of Stateless Systems:
Some applications may find it challenging to implement certain features without session data.
Increased data transfer with each request, potentially impacting network performance.

Q.5)choosing session cookies for simplicity and ease of use. Opt for JWTs for stateless, scalable applications, considering their versatility despite potential complexity. The decision hinges on your specific application requirements.