An approach to authentication: Session | Token.

Why the old per-session authentication model is falling behind:

Introdution

As technologies evolve and user demands become more complex, traditional application development approaches must also adapt. A notable example is the per-session authentication model, which used to be widely used but is gradually being replaced by more efficient and scalable approaches. In this article, we’ll explore why the use of sessions in applications is becoming obsolete and how the modern token-based authentication model is gaining prominence.

Context

A while ago, it was common for us to see applications being scaled vertically, that is, in the capacity that the machines had. In this logic, the more users we had, the more processor, memory or disk we needed to meet the demand.

With the rise of the cloud computing paradigm came horizontal scaling. While traditional single-machine scaling was the norm, horizontal scaling revolutionizes this approach by focusing on increasing the number of available machines.

The negative side of the horizontal paradigm is that when a new machine comes up, it goes to zero, it doesn’t bring back the record in memory of the previous machine.

Horizontal scaling, despite its advantages, has a downside. When a new machine is added to the system through this template, it emerges in a zeroed state, stripped of the memory, disk, and information of previous machines. This means that each new machine is essentially an independent entity that does not inherit any context from previous machines.

Lack of memory and data continuity between machines can result in problems, or at the very least require a change of perspective in how we handle things. For example, per-session authentication, which was once a common method in technologies such as ASP.NET, PHP, and Java, is no longer viable in this context.

In the old model, sessions were stored in the server’s memory, allowing for quick access and extended authentication. However, with horizontal scaling, where several independent machines serve an application, sharing sessions becomes unfeasible. This is especially true for APIs that may be distributed across many smaller machines.

The old model: Session authentication

In the past, per-session authentication was a common technique in web applications. In this model, user authentication information was stored in sessions that resided in server memory. Each time a user performed an action or navigated to a new page, the server checked the session to determine proper authentication and authorization. Although this method was widely used, it came with significant challenges.

Limitations on the use of sessions:

1. Storage and Scalability: Storing session information on the server required significant resources, which resulted in scalability issues. As the number of users grew, the need for more processors, memory, and disk also grew, making it difficult to maintain consistent performance.
2. Complexity: Session management introduced complexity into application code and design. Tracking user state across different sessions and synchronizing properly required additional effort, making development and maintenance more difficult.
3. User Mobility: With the increased use of mobile devices and the need for access from multiple locations, maintaining authenticated sessions became challenging. Session state was often not maintained consistently, resulting in interruptions to the user experience.

The modern model: Token-Based Authentication:

With the advancement of technologies and the search for more efficient solutions, the token-based authentication model gained prominence. In this model, instead of storing authentication information on the server, an authentication token is generated at login time. This token is then included in the header of all subsequent user requests.

With the advancement of technologies and the search for more efficient solutions, the token-based authentication model gained prominence. In this model, instead of storing authentication information on the server, an authentication token is generated at login time. This token is then included in the header of all subsequent user requests.

Autenticação baseada em token

The biggest difference here is that the user state is not stored on the server as the state is stored inside the token on the client side. Most modern web apps use JWT for authentication for reasons including scalability and mobile device authentication.

Advantages of Token Authentication:

1. Stateless and Scalability: The token authentication model is “stateless”, which means that each request contains all the necessary information for authentication and authorization. This facilitates scalability as servers do not need to store user state information.
2. Improved Performance: As there is no need to fetch session information from the server with each interaction, response time is reduced, resulting in faster performance and a smoother user experience.
3. Mobility and Flexibility: Tokens can be easily transmitted across devices and locations, allowing for a consistent experience for users no matter what device they are using.

Token-based authentication eliminates the need to share memory between machines in the scale-out scenario. Unlike traditional session authentication methods, where authentication is maintained on the server, here each request is authenticated individually. This process is streamlined and highly efficient, primarily because it does not require storing persistent information about the authentication state.

Conclusion:

As web applications evolve, it is essential to adopt approaches that are efficient, scalable and capable of meeting the demands of modern users. The per-session authentication model, which used to be a default choice, is being left behind in favor of the token-based authentication model. The “stateless” nature of tokens offers significant advantages in terms of scalability, performance, and user mobility. By opting for this modern approach, applications can deliver a more agile and responsive experience, in line with the expectations of today’s users.

And finally, in modern applications, we are never authenticated to the APIs, you are authenticated with each request.

If you liked this article, leave a comment. Any criticism, question or suggestion is welcome.