Authentication methods secure the communication between a server and a client. They're also used to make a server trust a request sent by an authorized user over the internet. In this Answer, we'll compare the session-based and token-based authentication.
Session-based authentication
A session is a small file that stores the information about the user (user ID, login and expiration time, and more). The session is created and stored in the server when we log in.
How does session-based authentication work?
Here's the basic flow of session-based authentication:
The user (browser) sends a request to the server. The request contains the credentials of the user and the info it is requesting.
The web server authenticates the user. It creates a session, stores the information in a database, and returns a
sessionId
to the user.This
sessionId
is stored in browser cookies. The next time the user requests, it sends the cookies in the HTTP header.The web server looks at its
sessionId
and checks if it has any information.sessionId
.If the
sessionId
is valid, the web server authenticates the user and returns the requested information.