The Three Pillars of Web Authentication
Every time you log into a website, one of three things is happening behind the scenes. Let me explain each one like I'm explaining it to a friend.
1. Session-Based Authentication (The Classic)
How it works:
1. You send your username and password
2. Server checks them, creates a "session" (like a ticket)
3. Server sends back a session ID in a cookie
4. Every request after that includes this cookie
5. Server looks up the session to verify you
Pros: Simple, well-understood, easy to revoke
Cons: Requires server-side storage, harder to scale
2. JWT (JSON Web Tokens)
How it works:
1. You send your credentials
2. Server creates a signed token containing your info
3. Token is sent back to you
4. You include this token in every request
5. Server verifies the signature - no database lookup needed
The structure:
header.payload.signature
Pros: Stateless, scalable, works across services
Cons: Can't be easily revoked, token size
3. OAuth 2.0 (Sign in with Google/GitHub)
How it works:
1. User clicks "Sign in with Google"
2. Redirected to Google's login page
3. User authenticates with Google
4. Google sends an authorization code back
5. Your server exchanges the code for an access token
6. You use the token to get user info from Google
Pros: No password management, trusted providers
Cons: Complex flow, dependency on third parties
Which Should You Use?
| Scenario | Recommendation |
| Simple web app | Session-based |
| API-first application | JWT |
| Mobile + Web | JWT |
| Social login | OAuth 2.0 |
| Enterprise | OAuth 2.0 + SAML |
Security Best Practices
- Always use HTTPS
- Store tokens in HTTP-only cookies
- Implement refresh token rotation
- Set short expiration times for access tokens
- Hash passwords with bcrypt (cost factor 12+)
Authentication is the front door to your application. Make it strong, but don't make it complicated.





































































































































































































































