Explained Web Authorization Techniques - Session & JWT
Understand important web authorization techniques to enhance role-based authentication for any web application with popular techniques like Session & JSON Web Token (JWT)
Anuj Sharma
Last Updated Dec 16, 2025
Authorization is about validating the user's permission to access the resources, in case of failure HTTP code "403 Forbidden" is returned.
Authorization Techniques
There are 2 major techniques for authorization, here are the details
1. Session-based authorizations - using Session Id
Authorization flow
- The client sends a
username&passwordto the server. The server validates credentials against existing credentials stored in the DB - On successful authentication server generates a
unique session ID (signed)and stores session_id on the server. - The server sends back
session_idwhich will be set as part of acookiein the browser.
HTTP OK 200 set-cookie - All subsequent HTTP calls include session_id and request as part of the COOKIE request header.
- The server validates session_id as part of the cookie against the stored cookie if valid then authorize the user to process that HTTP request.
Major drawbacks
- Hard to load balance - Since this is a stateful mechanism, it requires the server to store the session ID, but in the case of multiple servers, this session is invalidated if the request is routed to another server by an API gateway or load balancer.
💡Solution - The above problem can be solved using common caching like Redis where all the servers will store and access session_id from Redis cache.
- Prone to CSRF attacks - Session-based authentications are prone to CSRF attacks. This can be prevented by using the
X-CSRF-Tokenheader. - Access cookie by client-side application - Cookies can be accessed by any client-side application that can use the Cookie details to create a new session programmatically.
💡Solution - Cookies can be secured using HTTP-Only, same-origin options along with a Set-Cookie header so that it can't be accessible through JavaScript code.
2. Token-based authorization (Stateless) - JWT token
Authorization flow
- The client sends a username & password to the server. The server validates credentials against existing credentials stored in the DB.
- On successful authentication server generates a unique JWT Token, which contains data(payload) related to the user and signs that token.
- This Token is sent back to the user as part of a successful HTTP response with the Authentication HTTP header
HTTP 200 OK Authentication: Bearer [Token] - Users save this token in a cookie or local storage
- The user sends this token along with API requests in subsequent requests as part of the Authentication header.
- The server validates the JWT token by decoding information from the JWT token. If the token is valid then the server authenticates that token and processes the API request.
Major drawbacks
- Secret must be shared between servers so that the server can extract the user details.
- In case of invalid Tokens(forgot password), requires a list of invalid tokens which makes a more sort of stateful kind.
- Token-based authentications are prone to XSS attacks.
- The token is not opaque and contains payload information, and this can be extracted from the token.
- No sensitive information can be mentioned as part of the payload.
- The generation of a new signature is essential a frequent intervals to avoid
Resource Forgeryattacks
A seasoned Sr. Engineering Manager at GoDaddy (Ex-Dell) with over 12+ years of experience in the frontend technologies. A frontend tech enthusiast passionate building SaaS application to solve problem. Know more about me 🚀
Learn Next
Comments
Ankita Sood
ankitasood2000@gmail.com
10 Dec, 2025
Is same technique used for authentication ?
Anuj Sharma
Replyanujsharma.engg@gmail.com
16 Dec, 2025
There are authentication techniques which uses the same concepts - Basic Authentication - uses cookies in the session OIDC (OpenID Connect) "Sign In with Google" - use OAuth2.0 which uses JWT concept
Nidhi Sharma
nidhipune1505@gmail.com
22 Jun, 2025
Very helpful to understand web Authorization.
Share your expertise
Publish a blog or quick notes on topics you know well — your write-up could be the answer someone needs before their next frontend interview.
Build your portfolio
Help the community
Sharpen your skills
Earn goodies
Other Related Blogs
How does JWT (JSON Web Token) Authentication work - Pros & Cons
Frontendgeek
Last Updated Jun 15, 2026
Understand the JWT(JSON Web Token) and how JWT decode works. It also covers how the end-to-end JWT authentication works between client & server, along with the pros and cons of using JWT.
What is CORS ? Cross-Origin Resource Sharing Explained [For Interviews]
Anuj Sharma
Last Updated Feb 6, 2026
A brief explanation of Cross-Origin Resource Sharing (CORS) concept to enable client application accessing resources from cross domain and HTTP headers involved to enable resource access.
Understand JavaScript Local Storage, Session Storage and Cookies
Anuj Sharma
Last Updated Feb 6, 2026
Explore how to create and use javascript local storage, session storage and cookies. Explore the key differences between Local Storage vs Session Storage vs Cookies to understand the trade-offs.
Part 1: From Zero to Published — How I Built and Published My First React NPM Package
Akash Deep Chitransh
Last Updated Feb 6, 2026
Learn how to build and publish your own NPM package with Rollup, testing, and troubleshooting. Stay tuned for part 2: building a React state management library!
Understanding Critical Rendering Path (CRP) to Improve Web Performance
Anuj Sharma
Last Updated Feb 6, 2026
Understand what all steps are involved in the Critical Rendering Path (CRP) and how optimization of different steps can improve the overall web-vitals of a web application
What happens when you type google.com in the browser
Anuj Sharma
Last Updated Feb 5, 2026
Details about how the browser works behind the scenes and what happens when you type google.com in the browser, starting from communication to the webpage rendering.
Boost Your Site Speed with CSS Sprites: A Practical Guide
Vaibhav Kumar
Last Updated Jan 28, 2026
Master CSS sprites to slash HTTP requests, supercharge load times, and optimize icons—practical guide with code, tools, and 2026 best practices.
