LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

How does token-based (JWT) authentication differ from server-side sessions?

A session keeps the state on the server and gives the client only an opaque ID; a JWT puts the (signed) state inside the token itself, so the server trusts it by re-checking the signature and stores nothing — stateless vs stateful.

Server-side session keeps state in a server store and hands out an opaque ID; a JWT carries signed state in the token and the server stores nothing.

* Where the state lives is the whole difference: server store (session) versus inside the signed token (JWT). *

Dimension Server-side session Token (JWT)
Where state lives On the server; client holds only a random ID Inside the token the client holds
Server memory Must store every active session Stateless — nothing stored
Trust mechanism Look up the ID in the session store Re-verify the token's signature
Revoke / logout Delete the session server-side — instant Hard — a valid token works until it expires (needs short lifetimes or a blocklist)
Scale across servers Needs shared or sticky session storage Any server holding the key can validate it

The core trade-off: sessions are easy to revoke but need server-side storage; JWTs are stateless and scale easily but are hard to revoke. That one difference — statelessness — is why JWTs are popular for APIs and multi-service backends, and also why logout and token theft are harder to handle than with sessions.

Go deeper:

From Quiz: SPRG / Authentication & Session Management | Updated: Jul 14, 2026