See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/320068250

Token-Based vs Session-Based Authentication: A survey

Article · September 2017

CITATION READS

1 2,230

1 author:

Yjvesa Balaj
Market Technologies Inc.
1 PUBLICATION   1 CITATION   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

A Survey: Token-Based vs Session-Based Authentication View project

All content following this page was uploaded by Yjvesa Balaj on 27 September 2017.

The user has requested enhancement of the downloaded file.

 Token-Based vs Session-Based Authentication:
A survey
Yjvesa Balaj
University of Prishtina “Hasan Prishtina”
Faculty of Electrical and Computer Engineering
Prishtina, Kosovo
yjvesabalajj@gmail.com
Abstract – In almost every service which has sensitive data of
clients and which are very sensitive to them, security and privacy of
their data is the key of happiness to them . This means that no other
unauthorized person could get access to that data no matter what
happens and why. In terms of computer science this has to do with
authentication, it validates if a user it is who is declared it is. There
are a lot of authentication techniques which were used over the
years. Most of systems use cookies and session based authentication
which overlap the servers because are statefull, remember all the
login of the clients, in this paper I will discuss and analyze briefly
the importance of new technique Token-Based Authentication
proposed by OAuth 2.0 Framework, which is secure and most of all
stateless. The way this technique works, comparison to old
technique such as session-based authentication and most of all why
to choose this technique above session-based technique are the
main keys in this paper.
Index Terms— token, authentication, OAuth ,security, privacy,
sessions, encryption
1. What is authentication, how idea came?
Over the last years technology and it’s services have become
one of the main impact in every country including here every
company, educational institute and everything else. Each of
services which were offered by many people by the time have
been replaced with technology services. By the time even the
shopping, or learning is being made on internet, and here in a
lot of sites as well as in others you have your account , you
enter on it, either save data or buy something , both of these
among others are very important to a lot of people. Since you
have to deal with money a lot of mean people will always take
a chance to steal some data and abuse with them, so we need to
find a way to authenticate a valid user among others who
pretend to be someone they are not.. In real world we
authenticate each other using an identity cart or passport and
it’s very easy but on internet things are a little bit different.
Who can assure you that the person in the other side of internet
is the one you think it is. Right here authentication will arise
and it is a very critical term.
The authentication in information technology is process of
verifying you who you are, are you the one you pretend to be
or not.
Regardless of whether an authentication system is computer
based or not, there are several elements usually present, and
certain things usually take place. First of all, we have a
particular person or group of people to be authenticated. Next,
we need a distinguishing characteristic that differentiates that
particular person or group from others. Third, there is a
proprietor who is responsible for the system being used and
relies on mechanized authentication to distinguish authorized
users from other people. Fourth, we need an authentication
mechanism to verify the presence of the distinguishing
characteristic. Fifth, we grant some privilege when the
authentication succeeds by using an access control mechanism
, and the same mechanism denies the privilege if authentication
fails [1].
Authentication is also needed in single sign-on a lot and is a
main key for it since it deals with user data, in paper [8] in
order to raise user acceptance it is combined token-based with
client-based single sign-on for local and remote authentication.
Today the e-commerce site such as Amazon, eBay, Ali Express
and a lot more wouldn’t exist at all if authentication would not
work correctly.
2. Related Work
In the publication “The OAuth 2.0 Authorization Framework
“[5] the author describes briefly OAuth framework and how
the token-based authentication is implemented using JWT –
JSON Web Tokens, meanwhile in the publication ”The OAuth
2.0 Authorization Framework: Bearer Token Usage” [9] the
author describes the importance of Bearer parameter which has
token on it , added to the header of request, which token is
going to be used in each request from client to server. The
publication “Simplified Authentication and Authorization for
RESTful Services in Trusted Environments” [7] proposes a
new way for both authentication and authorization for trusted
RESTful services. The publication "A Token-Based User
Authentication Mechanism for Data Exchange in RESTful
API” [6] describes user authentication regardless to RESTful
API service, meanwhile in publication[8] is discussed access
and session management in HTTP environments. The
1
downside of this technology is the increased implementation First framework to use and implement token-based
effort for new clients in the cloud. authentication is OAuth framework [5], which includes JTW
(JSON Web Token) as well.
Further network traffic in this method would be higher,
because every client additionally has to broadcast its token When sending the access token in the "Authorization" request
transactions to the so called minors [3]. header field defined by HTTP/1.1 [RFC2617], the client uses
the "Bearer" authentication scheme to transmit the access
token. For example [9]:
3. How authentication is made?
GET /resource HTTP/1.1
During the years a lot of different authentication methods
Host: server.example.com
were introduced and applied, each of them trying to offer more
Authorization: Bearer mF_9.B5f-4.1JqM
secure service than the other. First password-based
authentication was offered, later session-based, biometric
The syntax of the "Authorization" header field for this scheme
authentication and later token-based authentication which was
follows the usage of the Basic scheme defined in Section 2 of
most reliable because of its structure. Also in [2] it is described
[RFC2617]. Note that, as with Basic, it does not conform to
authentication using certificates. In this paper will describe
the generic syntax defined in Section 1.2 of [RFC2617] but is
session and token based authentication in complete, their
compatible with the general authentication framework being
disadvantages and benefits.
developed for HTTP 1.1 [HTTP-AUTH], although it does not
follow the preferred practice outlined there in in order to
4. Token-Based Authentication
reflect existing deployments. The syntax for Bearer credentials
is as follows [9]:
Tokens are newly terms in IT field , their usage on last years
has increased dramatically. Token is a word which is signed
b64token = 1*( ALPHA / DIGIT /
not encrypted, it carries information about the user who wants
"-" / "." / "_" / "~" / "+" / "/" ) *"="
to authenticate.
credentials = "Bearer" 1*SP b64token
Tokens are often hardware-items for identifying and
Clients SHOULD make authenticated requests with bearer
authenticating user. They also can be software-based artifacts
token using the "Authorization" request header field with the
of permission granting systems, where multipath authentication
"Bearer" HTTP authorization scheme. Resource servers MUST
algorithms are used[3][5].
support this method [9].
Referring to RFC there are different types of token[3][5]:
In the example below I have implemented the token based
 perishable token: is used to validate a single
authentication using PHP to create a rest API which will
action
validate the fetched token from the request meanwhile the
 session token: is valid for one specific session and client side will be created in Angular 2. The server for each of
can be used several times within this session. the users will generate a token in which will save the users
 access token: can be used multiple times but data , only server can change the token meanwhile everybody
cannot be renewed else can just read it.
 refresh token: can be used only once (must be
invalidated after its use).

Access token types can be defined in one of two ways:

registered in the Access Token Types registry or by using a
unique absolute URI as its name. Types utilizing a URI name
SHOULD be limited to vendor-specific implementations that
are not commonly applicable, and are specific to the
implementation details of the resource server where they are
used. All other types MUST be registered. Type names MUST
conform to the type-name ABNF. If the type definition
includes a new HTTP authentication scheme, the type name
SHOULD be identical to the HTTP authentication scheme
name (as defined by [RFC2617]). The token type "example" is
reserved for use in examples: [5]

type-name = 1*name-char Figure 1: Generation of token in PHP

name-char = "-" / "." / "_" / DIGIT / ALPHA

2
As you can see and it is mentioned before the token has the
three parts the header which contain the type of hash algorithm,
the payload contains body , all data that need to be signed, in
our case the payload contains id, name and user group for each
of the users. And the third part is signature which will sign the
header and payload using a secret key which in our case is the
keyword myprivatekey . The last part is the token which is
created from the three parts the header, the payload and the
signature concatenating them with a dot and finally we return
it.
On the client in the Angular part in case that the user wants to
call a method on server for which it needs to authenticated,
we have to include the token in the header of request using the
keyword Bearer plus the user token. On the figure below I have
given an example of a method which will need authentication
to be called in server so I have added the token to the header of
request.
Figure 2 : Example of client request using token
The server then needs to check if a token has come or not. This
is done because not every action in REST API needs
authentication, for example the action when user is sign up , or
the action which displays a list of books can be done each time
but when somebody wants to add a book then we have to check
if that logged user is authorized to add it and if that user is the
one it says it is. Below in the figure I have shown how the
REST API I created using PHP will check for token.
Figure 3 : Server checking for token
And the very last part of token authentication is the part when
server checks if the token exists in the database or not, if so it
will allow to call that specific action otherwise not. In the
figure below I have given an example of how server calls
method or not, depending on the request it was made.
Figure 4: The server method call based on request
5. Session-Based Authentication
This method was old-fashioned technique which almost
every site used it . Sessions were early discovered and they
have ability to store data on it, which ability was used for user
authentication. The way session based works is:
 A session is opened , and ready for initialization
for example in PHP would be:
session_start();
 the user enters its credentials and a new session is
created for his access.
if($service->login(username, password)) {
$_session[‘isLoggedIn’] = true;
}
 during that session, which means while that
session exists user get all his work done
 each time system asks if session exists so that can
allow user to enter or not, for example in PHP:
if($_session[‘isLoggedIn’]]) {//do stuff}
 he logs out, destroying its session
session_destroy();
During the opened session the hackers may find a leak on
system and get a lot of data , which data are important to users.
The control of each session is made by management session[8].
In custom client-server systems, sessions are explicitly
maintained by persistent network connections and state
information shared between client and server applications. The
request-response-disconnect nature of HTTP precludes any
shared, connection- oriented state between client and Web
server, in so far as that state is based on the protocol itself.
RFC 2109 describes a state management mechanism more
generally known as a session ticket. RFCs 2068 and 2616
specify HTTP’s basic authentication mechanism, which is
simply a user-ID and password encoded in Base64 and
included as part of the HTTP request headers [8].
Session based authentication is still used in a lot of websites,
which do not hold important data for the users instead others
use token based authentication for a better security which will
be described below on this paper.
As a part on this paper I will also tell how session based
method is implemented using PHP, how the server creates the
session , saves the data on it and how server checks for user
login and its authenticity. On the example I have given below
3
first I will show how the server created the session and make
login.
Figure 5 : Session-Based server creation of session and login
On the client side first we have to take the user credentials ,
the username and password from the request and call the
proper method which will make the login.
Figure 6 : Retrieval of user credentials and call of login
Final step of session-based authentication includes server
method call for the login which includes the creation of session
in case that user credentials match a user in the database:
Figure 7 : Make of login
6.Token-Based and Session Based Differences
6.1 State of the data
The state of the data is main difference between
token-based and session-based authentication, this is the
one key feature which allows us immediately choose the
proper technique between these two when creating web
API, REST services or just a simple website for example
to share information. This is especially important to REST
API because their purpose is to be stateless.
The majority of IoT and Web service companies, however,
are confronting challenges for configuring a stateless
concept of REST because of authentication . The stateless
concept of REST means that a server doesn’t save the
status of a client and, consequently, the server does not use
the concept of session to comply with the principle of
statelessness in the RESTful Web service. Without the
notion of session, an authentication problem arises in the
RESTful Web service[4].
The token-based technique is completely stateless , it
doesn’t hold any information about the user at all, this is
possible because of the use of token in each request which
is made from client to server. Meanwhile session-based
technique is statefull, it holds every data of every client
accessed to server, this of course overloads the server a lot
and its management across multiple server it is quite a big
challenge.
In token-based technique there is no session, statelessness
is good for balancing server loads. When one server is
more highly loaded than other servers, the request is
passed onto other servers without creating any additional
work. Another beneficial attribute of statelessness is
scalability [4].
Cors(Cross Origin Resource Sharing) requests are requests
which are made in different servers and across different
domains , this means that the management of session is
quite difficult and we need to have a server which will
only manage session, but this costs money and time. These
request are very easy when authentication is made using
tokens because the same way the client sends requests to a
server including token in header, that server can be client
for some other server including same token in header and
there is no overloading at all, this procedure saves a lot of
time, and again one more example of how good token-
based authentication technique is.
6.2 Store data in JWT
JSON Web Token (JWT) is an open standard (RFC
7519) that defines a compact and self-contained way for
securely transmitting information between parties as a
JSON object. This information can be verified and trusted
because it is digitally signed. JWTs can be signed using a
secret (with the HMAC algorithm) or a public/private key
pair using RSA [5][9].
Token-based authentication uses JWT to store the data and
send it to server in authorization header starting with
Bearer keyword. The JWT has three parts , a header , a
payload and a signature. When these three parts are
connected with a dot then a token is created and can be
send back as a authorization header , as below[9]:
4
 Authorization: Bearer i72mkx267.lusowng396.hdon7vsj
Using JWT decreases a lot of time on authentication
process and it is quite secure, session-based technique does
not use JWT at all, and this is another key feature which
shows why is token-based technique better than session-
based technique.
6.3 Performance
Session-based authentication overloads server each
time user logs and this of course increases the performance
of a service since the server checks session all time and get
the responses, plus in multi-domain servers management of
session requires a lot of time. In token-based authentication
there is no session created each time user logs in but just the
time between login and logout and this indicates a better
performance than session-based technique.
OAuth or HTTP authentication maintains a session between
the time of logging in and the time of logging out. As such,
a user is required to log into AS which stands for
authentication server or RS which stands resource server
for authentication when logged out[4]. In contrast, IBA
proposed in[4] does not have a concept of login or logout.
Therefore, IBA which stands for ID based authentication
removes the overhead of the login process.
7. Conclusion
This paper at first described what is authentication and why
do we need them , to proceed next with two most used
techniques for authentication , token-based and session-based
authentication , each of them described briefly and how to
implement them.
The main key were the differences between these two
techniques, their advantages and disadvantages , the user in this
paper will find the answer why the token-based authentication
is so much used lately than session-based technique. The way
token-based works and it is implemented, in fact the idea to
make such authentication is mind blowing. Everything is
View publication stats
almost perfect, the security, performance and the easy way to
make it work etc.
8. References
[1] Richard E. Smith “Authentication: From passwords to public
keys”, only first chapter called “The authentication landscape”,
originally published on October 01, 2001.
[2] Rene Enriquez, Andres Salazar C “RESTful Java Web Services
Security” originally published on July 28, 2014.
[3] Kubovy J., Huber C., Jäger M., Küng J. (2016) “A Secure
Token-Based Communication for Authentication and
Authorization Servers”. In: Dang T., Wagner R., Küng J., Thoai
N.
[4] Sungchul Lee, Ju-Yeon Yo,Yoohwan Kim “Authentication
System for stateless RESTful WebService”, originally published
in November 2016 in Computer Science, vol 10018. Springer,
Cham
[5] Hardt, D.: “The OAuth 2.0 Authorization Framework.” RFC
6749, RFC Editor, October 2012.
[6] Xiang-Wen Huang, Chin-Yun Hsieh, Cheng Hao Wu and Yu
Chin Cheng, "A Token-Based User Authentication Mechanism
for Data Exchange in RESTful API” , vol. 00, no. , pp. 601-606,
2015, doi:10.1109/NBiS.2015.89
[7] Brachmann E., Dittmann G., Schubert KD. (2012) “Simplified
Authentication and Authorization for RESTful Services in
Trusted Environments.” In: De Paoli F., Pimentel E., Zavattaro
G. (eds) Service-Oriented and Cloud Computing. ESOCC 2012.
Lecture Notes in Computer Science, vol 7592. Springer, Berlin,
Heidelberg.
[8] Kurt Gutzmann. “Access control and session management in the
HTTP environment.” IEEE Internet Computing, 5:26–35, 2001.
[9] Jones, M.B., Hardt, D.:”The OAuth 2.0 Authorization
Framework: Bearer Token Usage.” RFC 6750, RFC Editor,
October 2012
[10] Sandro Wefel and Paul Molit “Raising User Acceptance Of
Token-Based Authentication by single sign on” originally
published in 2012