0
0
Node.jsframework~10 mins

Session-based vs token-based auth in Node.js - Visual Side-by-Side Comparison

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf
Concept Flow - Session-based vs token-based auth
User sends login request
Server verifies credentials
Session-based Auth
Create session on server
Send session ID cookie
Client stores cookie
Server checks session ID
Allow or deny access
Logout
Destroy session on server
This flow shows how a user logs in, and the server either creates a session stored on server or a token sent to client, then how each request is authenticated differently.
Execution Sample
Node.js
app.post('/login', (req, res) => {
  // Verify user
  // Session: req.session.user = userId
  // Token: const token = jwt.sign({id: userId}, secret)
  // Send session cookie or token
})
This code snippet shows a login route where server verifies user and either creates a session or generates a token.
Execution Table
StepActionSession-based AuthToken-based AuthResult
1User sends login requestNo session yetNo token yetServer receives credentials
2Server verifies credentialsCredentials valid?Credentials valid?Yes, proceed
3Create auth dataCreate session on server with user IDCreate JWT token with user ID payloadAuth data ready
4Send auth data to clientSend session ID cookieSend token in response bodyClient receives auth data
5Client stores auth dataBrowser stores cookie automaticallyClient stores token in memory or localStorageAuth data stored
6Client makes authenticated requestBrowser sends cookie automaticallyClient sends token in Authorization headerRequest sent with auth
7Server verifies authCheck session ID in server storeVerify token signature and expiryAuth verified or rejected
8Access granted or deniedAllow or deny based on sessionAllow or deny based on tokenResponse sent
9User logs outClient requests logoutClient deletes token locallySession destroyed or token discarded
10Server cleans upDestroy session on serverNo server cleanup neededLogout complete
11Next requestNo session cookie, access deniedNo token sent, access deniedUser must login again
12EndSession expired or destroyedToken expired or deletedAuthentication ends
💡 Authentication ends when session is destroyed or token expires/deleted, user must login again.
Variable Tracker
VariableStartAfter Step 3After Step 4After Step 6After Step 9Final
sessionStore{}{ userId: 'abc123' }{ userId: 'abc123' }{ userId: 'abc123' }{}{}
sessionCookienonenoneset in responsesent with requestdeletednone
tokennoneeyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...sent in responsesent in Authorization headerdeleted from clientnone
Key Moments - 3 Insights
Why does session-based auth require server storage but token-based does not?
Session-based auth stores session data on the server (see sessionStore variable in execution_table step 3), so server must keep track. Token-based auth encodes user info in the token itself, so server just verifies token signature without storing session.
How does the client send authentication data differently in session vs token auth?
In session auth, the browser automatically sends the session cookie with each request (see sessionCookie in variable_tracker after step 6). In token auth, client code must add the token manually to the Authorization header.
What happens on logout in both methods?
In session auth, server destroys the session (sessionStore cleared at step 9). In token auth, client deletes the token locally; server usually does not track tokens.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table at step 3. What is created in token-based auth?
AA JWT token with user ID payload
BA cookie with session ID
CA session stored on the server
DA logout request
💡 Hint
Check the 'Token-based Auth' column at step 3 in execution_table
According to variable_tracker, what happens to sessionStore after logout?
AIt remains unchanged
BIt is cleared (empty object)
CIt stores the token
DIt stores the session cookie
💡 Hint
Look at sessionStore values after step 9 in variable_tracker
In session-based auth, how does the client send authentication data on requests?
AIncludes token in request body
BManually adds token to Authorization header
CSends session cookie automatically
DSends user ID in URL
💡 Hint
Refer to execution_table step 6 and variable_tracker sessionCookie after step 6
Concept Snapshot
Session-based Auth:
- Server stores session data
- Client gets session ID cookie
- Browser sends cookie automatically
- Server checks session on each request

Token-based Auth:
- Server creates signed token (JWT)
- Client stores token (localStorage or memory)
- Client sends token in Authorization header
- Server verifies token signature

Logout:
- Session destroyed on server
- Token deleted on client

Tokens are stateless; sessions require server memory.
Full Transcript
This visual execution compares session-based and token-based authentication in Node.js. When a user logs in, the server verifies credentials. For session-based auth, the server creates a session stored in memory or database and sends a session ID cookie to the client. The browser stores this cookie and sends it automatically with each request. The server checks the session ID to authenticate. For token-based auth, the server creates a signed JWT token containing user info and sends it to the client. The client stores the token and sends it manually in the Authorization header on requests. The server verifies the token signature and expiry to authenticate. On logout, session-based auth destroys the session on the server, while token-based auth requires the client to delete the token. This means session-based auth needs server storage and management, while token-based auth is stateless and easier to scale. The execution table and variable tracker show each step and how data changes. Key moments clarify common confusions about storage, client sending methods, and logout behavior.