Difference between cookies, sessions, and tokens?

In the article we would take a look to understand what are cookies?, what are sessions?, and exactly what are API tokens and what’s the difference between all of them ?

let’s take this example you want to log into your bank account you are provided with a login screen where you can input your username and password after you hit the login button your username and password go to the bank server I know that nowadays the login procedure typically includes and other steps are just getting a text message or verifying this on your phone but to make it more understandable I simplified it now next the 7 is verified that you actually are who you pretend to be so the bank will check against the database to see if your credentials match if everything looks good the server will return your account overview page but will also create a session in the database with your login event and give you the session ID in form of a cookie in other words you have exchanged your username and password for this cookie containing the session ID.

One of the reasons why servers don’t store more information in cookies is that they cannot be trusted as they come from the client and that’s you it’s like telling the bank hey I have 1 million in my bank account just trust me this is why servers prefer to work with their database we’re ideally only valid information exists an alternative to this is to store information on a client and to sign it in this scenario anyone holding the signature can quickly check if the data was manipulated or not one way to do this is to use JSON web tokens or jet tokens articled but I won’t get into them today traditionally the cookie based authentication has worked very well for many years but it is slowly becoming outdated at least in some use cases.

 let’s now assume that you want to install an app on your phone which can help you with your finances and keep track of your spending what you don’t want to do is to give your user name and password to this app which is not associated with your bank in this case your app will redirect you to your bank you will give in your username and password and your bank will ask you hey John would you like to give this app access to your transactions and if you click yes the app will receive a token granting access to your transactions but the app will only view transactions it will not be able to perform wire transfers or to see other details which you would normally be able to see when you log in your bank account this token is like a randomly generated password if you wish it is like when you are at the hotel and you get a one day Wi-Fi password I’m sure you have seen a similar procedure to this any time you have used Facebook Google or Microsoft to grant information to your User Profile to a third-party website so in this exchange you never expose your username and password if you later want you can easily revoke access to your bank account by invalidating the token that was generated one of the most commonly used protocols for such scenarios are both open ID but also JSON web tokens jawed

 what is the difference between a token and a session stored in a cookie the difference is that tokens are typically following a standard while sessions are implemented as needed by the server additionally tokens tend not to need a session on the server but they may have one in the case of jud tokens the token contains the session information as well so it contains actual data about you as a user when using tokens it is essential to notice that now the interaction typically involves multiple parties that may or not trust one another so you trust your bank with your bank login but you may not trust this third party app you have found in App Store another difference is that the token has a limited lifetime and a new token needs to be generated once it expires the technical term for that is refreshed a token can also grant access to only a subset of data a particular user identity has as you have seen in this case you have only granted access to your transactions but not to other information usually if you would give your user name and password to your bank account a third party would have access to everything most of the time tokens are being sent using HTTP headers and not cookies the reason for that is nowadays many interactions happened outside of browsers for example from apps on your phone and it simply does not make sense to use cookies for that[Music]both session and token based approaches are widespread and typically they are used in parallel for example a session based approach is deployed when using the website but the token based approach is preferred when using the app from the same service so it is essential to understand how both work I hope the explanation was useful and now that you know the difference between cookies sessions and API tokens if you found this article useful give it a thumbs up.

About the author


Hi there! My name is Binay Topno, I am an engineering graduate from B. A College of Engineering and Technology, Jamshedpur. In addition, I am a blogger too, which made me penned down some aspects of online knowledge about the digital world in this blog.

View all posts


Leave a Reply

Your email address will not be published. Required fields are marked *