-
Can you explain the steps that take place when a user signs in to a website?
-
Where are each of session/cookie and JWT data stored?
-
Which technology is stateful and which is stateless and what is the different between both?
-
What are the advantages and disadvantages of each of them in your opinion?
-
Overall which one would you prefer to use and why?
Created
January 15, 2024 12:27
-
-
Save halitbatur/e8bfed63750922971ec89e2bff34a1a6 to your computer and use it in GitHub Desktop.
Auth
room 7: hassan AbuGareeb, banan Alafouri, Osama daoud, Ramah madi
Q1:
- Cookie-Based Authentication:
- The user enters their username and password on the website.
- Server validation : The server checks the entered credentials against its database to verify the user.
- Create Session: If credentials are valid, the server creates a session on the server-side and generates a unique session ID.
- Set Cookie: The server sends a response to the client with a Set-Cookie header containing the session ID. The browser stores this cookie.
- e. Subsequent Requests: For subsequent requests, the browser automatically includes the cookie in the request header, allowing the server to identify the user.
- JWT-Based Authentication:
a. User submits credentials: Similar to the cookie-based approach, the user provides their username and password.
b. Server verifies credentials: The server validates the user's credentials against the stored data.
c. Generate JWT: If the credentials are valid, the server creates a JWT containing a payload with user information and a signature.
d. Send JWT to the client: The server sends the JWT to the client as part of the response body or header.
e. Subsequent Requests: The client includes the JWT in the Authorization header for subsequent requests. The server verifies the token's signature to authenticate the user.
Q2:
Session/Cookie-Based Authentication:
- Session Data: Stored on the server.
- Cookie Data: Stored on the client side. The browser holds the cookie containing the session ID
JWT-Based Authentication:
- JWT Data: Stored on the client side.
Q3: Stateful applications retain data between sessions, but stateless applications don’t. For example, stateful applications remember products in a user’s cart after logging out, while stateless applications treat every login as a new session and cart information is lost.
Q4:
-Session cookies:
advs:
1-User Friendly: the user can usually ,The client can choose what they need to do with cookies. All the browsers come with settings to clear history including the cookies
2- Availability: Cookies can also set to be made available for a longer period of time. Once the cookies are stored on the user's hard drive, it will be available as long as the user deletes them manually.
3-Occupies less memory
4- Cookies can store any type of data, including text, numbers, and even images.
disAdvs:
1-Security Risks: since they're stored on the user's hard-drive, an intruder can access these files and read the data inside.
2-Size Limitations :they cannot store large amount of information. Most cookies are able to store information only up to 4kb,
some browsers also have limitations on the number of cookies per website.
3-Manual Disabling: Browsers also comes with the option to disable cookies
4- privacy concerns: cookies stores all the website that the users visits, this information can be accessed by any third parties including government agencies and businesses or advertisers.
-JWT :
advs:
1-Easy to use: One of the main reasons why developers love using JWT is its ease of use and simplicity
2-Tokens Offer Robust Security: Since tokens like JWT are stateless, only a secret key can validate it when received at a server-side application, which was used to create it.
3-Token-based Authentication is more Scalable and Efficient
disAdvs:
1-Compromised Secret Key: One of the major cons of relying on tokens is that it relies on just one key.
2- Server cannot identify clients: Once the token is issued, the server has no idea whether the client is active or not. It is only when they ask for a refreshed token that the server actually gets to know their status.
3-Data Overhead
The overall size of a JWT is quite more than that of a normal session token, which makes it longer whenever more data is added to it
4-horter Lifespan
Short-lived JWT are harder for users to work with. These tokens require frequent reauthorization
Q-5 I would prefer stateless cuz stateless protocol design simplify the server design. The Stateful protocol design makes the design of server very complex and heavy. Stateless Protocols works better at the time of crash because there is no state that must be restored.
✨ Team members: Najwan Shawareb, Sanad Alshobaki, Rinad AQ., Dana AlSiddig ✨
Q1. They enter their credentials (username/email, password). The client sends this info to the server securely. The server validates the credentials. If valid, the server creates a session, generates a token, and sends it back to the client. The client stores the token and uses it for future requests. The user is redirected to a signed-in page. Throughout the session, the server manages authentication and tracks user activity.
Q2.
Client-Side:
Session Cookies: Stored in the user's browser's cookie storage.
JWTs: Typically stored in browser storage (e.g., localStorage).
Server-Side:
Session Data: Stored on the server.
JWTs: Not stored on the server; validated using a secret or public key.
Q3.
Stateful:
Example: Traditional web applications with server-side sessions.
Characteristics: Server maintains client state; requests depend on server-stored data.
Stateless:
Example: RESTful APIs, Token-based Authentication (e.g., JWT).
Characteristics: Each request is independent; server doesn't store client state.
Q4.
Advantages:
- More scalable.
- Simpler design.
- Flexible distribution.
Disadvantages:
- Challenging session management.
- Limited functionality for complex workflows.
- Increased payload size.
Considerations:
- Choose stateful for continuous sessions.
- Choose stateless for scalability.
- Modern applications often use a combination.
Q5.
The preference between stateful and stateless architectures depends on the specific needs of the application:
Stateful:
- Prefer for continuous user sessions and complex workflows.
- Provides a seamless user experience and supports rich functionality.
Stateless:
- Prefer for scalability and decoupled services.
- Offers simplicity, scalability, and is suitable for microservices architectures.
Considerations:
- Hybrid approaches are common, combining stateful and stateless components.
- Choose based on the unique requirements of the application, balancing user experience and scalability.
Mohamad Sheikh Alshabab, Mohamad ms, Ahmad Jouma
q1 -
1- A user reaches a login page on a website they have previously created an account with.
2- The user provides their unique ID and key to verify their identity.
3- The login credentials are compared against the originals stored in the website’s server.
4- If they match, the user is authenticated and provided access to their account.
q2-
- Session: is stored on the server.
- Cookie: is stored on the client-side.
- JWT: can stored on the client-side or the server.
q3-
-
Session Cookies: STATEFUL
-
JWT ( JSON Web Tokens): STATELESS
-
Stateless is more scalable, simpler and doesn't store the data, while STATEFUL is the opposite.
q4-
- Sessions: Sessions rely on server-side storage and are inherently stateful, which can be a drawback in modern microservices and distributed systems.
- JWT: JWTs are stateless, which can be advantageous for scalability but challenging for scenarios requiring centralized session management.
q5- we prefer JWT for simplicity and scalability.
Team Members : Abdullah Alawad , Lujain Mansour, Lin
Q.1 1- on the login page using POST request (form submission), the server extracts the entered username and password from the form data.
2- User Authentication:
The server checks if the entered username exists in the user database.
If the username is found, it compares the hashed version of the entered password with the stored hashed password for that user.
3-Session Creation:
If the authentication is successful, a session is created. In this example, the username is stored in the session using session object.
4-Redirect to for example: Dashboard (the selected page to redirect after logging in):
The user is then redirected to the /dashboard route.
5-Dashbord Route (/dashboard) and check Authentication:
The /dashboard route is defined to display the user's dashboard and it will check if the user is authenticated by verifying the presence of the 'username' in the session.
6-Display Dashboard or Redirect:
If authenticated, the server displays a welcome message on the dashboard. If not authenticated, the user is redirected back to the login page.
Q.2) Session and Cookie Data: Stored on the client side.
JWT Data (JSON Web Token) :
Primarily stored on the client side, but can also be stored on the server side. Session and cookie data are often used in traditional web applications; JWTs have become popular in modern.
Q.3) Stateful and stateless are terms often used to describe the behavior of computer systems, applications, or protocols.
Stateful technologies: A stateful system retains information about the current state of a user's interactions or the overall system's status it is like TCP, keeps tracking and stores past interactions and maintaining a state.
Stateless technologies: stateless system does not store information about the state of a user's interactions or the overall system's status between requests it is like HTTP, treat each request independently without remembering past states. Stateful can offer context but may be resource-intensive, while stateless is simpler and more scalable but lacks context between interactions.
Q.4 Advantages of Stateful Systems:
Can offer a more user-friendly and personalized experience.
Simplifies certain aspects of application development.
Disadvantages of Stateful Systems:
Increased server overhead and potential scalability issues.
Dependency on server-side storage, which can be a single point of failure.
Advantages of Stateless Systems:
Improved scalability and performance due to reduced server-side storage requirements.
Easier to distribute requests across multiple servers (load balancing).
Disadvantages of Stateless Systems:
Some applications may find it challenging to implement certain features without session data.
Increased data transfer with each request, potentially impacting network performance.
Q.5)choosing session cookies for simplicity and ease of use. Opt for JWTs for stateless, scalable applications, considering their versatility despite potential complexity. The decision hinges on your specific application requirements.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Room 6 1.Nour kayyali 2. Noor Alrai 3.Hasan Mohammad 3.omar
2.Server-side Processing:
Authentication: The server receives the user's credentials and compares them to the stored data (usually in a database) for matching usernames and passwords.
Authorization: If the credentials match, the server authorizes access by generating a session token or cookie.
Redirection: Upon successful login, the user is redirected to their account dashboard, homepage, or the page they were originally trying to access.
2.Session/Cookie:
--Server-side:
Session ID: A unique identifier for the user's session is typically stored in a database or memory on the server.
Session data: Associated user information (e.g., user ID, preferences) might be stored alongside the session ID on the server.
--Client-side:
Session cookie: The session ID is sent to the user's browser and stored in a cookie. This cookie is automatically sent back to the server with subsequent requests, allowing the server to associate the user with their session data.
JWTs (JSON Web Token): Entirely client-side:
Browser storage: The JWT itself is typically stored in the browser's local storage or session storage.
HttpOnly cookie (recommended): For enhanced security, it's recommended to store JWTs in an HttpOnly cookie
Stateful applications retain data between sessions, but stateless applications don't. For example, stateful applications remember products in a user's cart after logging out, while stateless applications treat every login as a new session and cart information is lost. Self-contained stateless apps scale well
Stateless (JWT):
Advantages : The JWT is a self contained token which has authetication information, expire time information, and other user defined claims digitally signed.
Portable: A single token can be used with multiple backends.
No Cookies Required, So It's Very Mobile Friendly
Good Performance: It reduces the network round trip time.
Decoupled/Decentralized: The token can be generated anywhere. Authentication can happen on the resource server, or easily separated into its own server.
Disadvantages
Since JWT tokens cannot be “invalidated” (without maintaining them in a shared db), in JWT approach the logout length precision is set by the expiration length of the access_token. However the “access_token” lifespan can be kept short (typically 10 to 15 mins), so that tokens are automatically “invalidated” after the duration.
Anti-pattern: Sometimes additional and unnecessary information is stored in the JWT. The JWT token should primarily contain user information, and the data authorized to be accessed by that user should be provisioned and managed as a separate service on that respective server.
Stateful (Session/cookie)
Advantages
On logout, since the sessionId is removed from the database, we have a precision logout i.e. logout occurs at the moment the sessionId is removed from the sessionDB
Disadvantages
Needs an additional DB lookup within the sessionId table to get the userId, DB look ups are relatively slower than JWT decrypting action.
Individual servers cannot be scaled separately since they would need to share the sessionDB.