๐Ÿš€

AI SaaS Starter - Build an AI SaaS in Days

Grab a production-ready starter project with all integrations.

๐Ÿ“ข

Advertise Your Company Here

Click now to email us to advertise in this spot and reach thousands of frontend developers.

๐Ÿš€

AI SaaS Starter - Build an AI SaaS in Days

Grab a production-ready starter project with all integrations.

๐Ÿ“ข

Advertise Your Company Here

Click now to email us to advertise in this spot and reach thousands of frontend developers.

FrontendGeek
FrontendGeek
Blog/NotesConcept

Explained Web Authorization Techniques - Session & JWT

Understand important web authorization techniques to enhance role-based authentication for any web application with popular techniques like Session & JSON Web Token (JWT)

Intermediate

Anuj Sharma

Last Updated Dec 16, 2025

Explained Web Authorization Techniques - Session & JWT

Authorization is about validating the user's permission to access the resources, in case of failure HTTP code "403 Forbidden" is returned.

Authorization Techniques

There are 2 major techniques for authorization, here are the details

1. Session-based authorizations - using Session Id

 Authorization flow
  1. The client sends a username & password to the server. The server validates credentials against existing credentials stored in the DB
  2. On successful authentication server generates a unique session ID (signed) and stores session_id on the server.
  3. The server sends back session_id which will be set as part of a cookie in the browser.
    HTTP OK 200 set-cookie
  4. All subsequent HTTP calls include session_id and request as part of the COOKIE request header.
  5. The server validates session_id as part of the cookie against the stored cookie if valid then authorize the user to process that HTTP request.
 Major drawbacks
  1. Hard to load balance - Since this is a stateful mechanism, it requires the server to store the session ID, but in the case of multiple servers, this session is invalidated if the request is routed to another server by an API gateway or load balancer.
    ๐Ÿ’กSolution - The above problem can be solved using common caching like Redis where all the servers will store and access session_id from Redis cache.
  2. Prone to CSRF attacks - Session-based authentications are prone to CSRF attacks. This can be prevented by using the X-CSRF-Token header.
  3. Access cookie by client-side application - Cookies can be accessed by any client-side application that can use the Cookie details to create a new session programmatically.
    ๐Ÿ’กSolution - Cookies can be secured using HTTP-Only, same-origin options along with a Set-Cookie header so that it can't be accessible through JavaScript code.

2. Token-based authorization (Stateless) - JWT token

 Authorization flow
  1. The client sends a username & password to the server. The server validates credentials against existing credentials stored in the DB.
  2. On successful authentication server generates a unique JWT Token, which contains data(payload) related to the user and signs that token.
  3. This Token is sent back to the user as part of a successful HTTP response with the Authentication HTTP header
    HTTP 200 OK Authentication: Bearer [Token]
  4. Users save this token in a cookie or local storage
  5. The user sends this token along with API requests in subsequent requests as part of the Authentication header.
  6. The server validates the JWT token by decoding information from the JWT token. If the token is valid then the server authenticates that token and processes the API request.
 Major drawbacks
  1. Secret must be shared between servers so that the server can extract the user details.
  2. In case of invalid Tokens(forgot password), requires a list of invalid tokens which makes a more sort of stateful kind.
  3. Token-based authentications are prone to XSS attacks.
  4. The token is not opaque and contains payload information, and this can be extracted from the token.
  5. No sensitive information can be mentioned as part of the payload.
  6. The generation of a new signature is essential a frequent intervals to avoid Resource Forgery attacks

About the Author

Anuj Sharma

Anuj Sharma

A seasoned Sr. Engineering Manager at GoDaddy (Ex-Dell) with over 12+ years of experience in the frontend technologies. A frontend tech enthusiast passionate building SaaS application to solve problem. Know more about me  ๐Ÿš€

๐Ÿš€

Love this content? Share it!

Help others discover this resource

Comments

3 comments

Guest User

Please login to comment

0 characters

Ankita Sood

ankitasood2000@gmail.com

10 Dec, 2025

Is same technique used for authentication ?

1 reply

Anuj Sharma

Reply

anujsharma.engg@gmail.com

16 Dec, 2025

There are authentication techniques which uses the same concepts - Basic Authentication - uses cookies in the session OIDC (OpenID Connect) "Sign In with Google" - use OAuth2.0 which uses JWT concept

Nidhi Sharma

nidhipune1505@gmail.com

22 Jun, 2025

Very helpful to understand web Authorization.

Share Your Expertise & Help the Community!

Build Your Portfolio

Help the Community

Strengthen Your Skills

Share your knowledge by writing a blog or quick notes. Your contribution can help thousands of frontend developers ace their interviews and grow their careers! ๐Ÿš€

Other Related Blogs

Polyfill for map, filter, and reduce in JavaScript

Anuj Sharma

Last Updated Oct 2, 2025

Explore Polyfill for map, filter and reduce array methods in JavaScript. A detailed explanation of Map, filter and reduce polyfills in JS helps you to know the internal working of these array methods.

Visit Blog

Flatten Nested Array in JavaScript using Recursion

Anuj Sharma

Last Updated Nov 24, 2025

Understand step by step how to flatten nested array in javascript using recursion, also explore the flatten of complex array of object.

Visit Blog

Master Hoisting in JavaScript with 5 Examples

Alok Kumar Giri

Last Updated Jun 2, 2025

Code snippet examples which will help to grasp the concept of Hoisting in JavaScript, with solutions to understand how it works behind the scene.

Visit Blog

Implement useFetch() Custom Hook in React (Interview)

Anuj Sharma

Last Updated Nov 23, 2025

Find the step-by-step explanation of the useFetch custom hook in React that helps in fetching the data from an API and handling loading, error states.

Visit Blog

setTimeout Polyfill in JavaScript - Detailed Explanation

Anuj Sharma

Last Updated Aug 3, 2025

Explore the implementation of setTimeout in JavaScript with a detailed explanation for every step. Understand all scenarios expected to implement the setTimeout polyfill.

Visit Blog

Implement Infinite Currying Multiplication in JavaScript: mul(2)(3)(4)

Anuj Sharma

Last Updated Oct 26, 2025

Understand the step-by-step implementation of Infinite Currying Multiplication in JavaScript with a code example.

Visit Blog

Stay Updated

Subscribe to FrontendGeek Hub for frontend interview preparation, interview experiences, curated resources and roadmaps.

FrontendGeek
FrontendGeek

All in One Preparation Hub to Ace Frontend Interviews. Master JavaScript, React, System Design, and more with curated resources.

Consider Supporting this Free Platform

Buy Me a Coffee

Product

HomeFrontend InterviewInterview ExperienceBlogsToolsLeaderboard

Interview Preparation

JavaScript InterviewMachine CodingSystem DesignUI TechnologiesReact InterviewDSA for Frontend

Tools

CSS Image FilterPixelate ImageAspect Ratio CalculatorBox Shadow GeneratorCSS Gradient GeneratorNeumorphism GeneratorExplore More Tools โ†’

Interview Experiences

GoogleMicrosoftAmazonUberAtlassianFlipkartExplore More Interview Experiences โ†’

Company

About UsContactPrivacy PolicyTerms of ServiceDisclaimerAffiliate Disclosure

ยฉ 2026 FrontendGeek. All rights reserved