Whenever you log in to a website…
You enter:
And suddenly…
You are “logged in”
But what actually happens behind the scenes?
How does the system remember you?
Let’s break it down simply
First: What is Authentication?
Authentication =
“Proving that you are who you say you are”
Example:
- Login form
- OTP verification
- Google login
⚙️ Basic Flow (Before JWT / Session / OAuth)
- User enters email + password
- Server verifies credentials
- Now server needs to “remember” the user
This is where things get interesting
1. Session-Based Authentication
How It Works
- User logs in
- Server creates a session
- Stores session in database/memory
- Sends a session ID to browser (via cookie)
Now:
Every request → sends session ID
Server checks → “Yes, this is the user”
Flow
Login → Session Created → Session ID stored in browser → Request with ID → Server validates
✅ Pros
- Simple to implement
- Easy to invalidate (logout)
❌ Cons
- Server has to store sessions
- Not scalable for large systems
⚡ 2. JWT (JSON Web Token)
How It Works
Instead of storing session on server…
Server gives token to user
This token contains:
- User ID
- Expiry time
- Signature
Example:
header.payload.signature
Now:
Client stores JWT (localStorage / cookie)
Sends it with every request
Server:
Verifies token → allows access
Flow
Login → JWT generated → Stored on client → Sent with requests → Verified
✅ Pros
- Stateless (no server storage)
- Scalable
- Fast
❌ Cons
- Hard to revoke instantly
- Needs proper security handling
3. OAuth (Login with Google, GitHub)
How It Works
Instead of creating your own login system…
You use another provider
Example:
- “Login with Google”
- “Login with GitHub”
Flow
- User clicks Google login
- Redirect to Google
- User authenticates
- Google sends token back
- Your app trusts Google → logs user in
✅ Pros
- No need to manage passwords
- More secure
- Faster user onboarding
❌ Cons
- Dependency on third-party
- Slightly complex setup
JWT vs Session vs OAuth (Simple Comparison)
| Feature | Session | JWT | OAuth |
|---|
| Storage | Server | Client | Third-party |
| Scalability | Medium | High | High |
| Complexity | Easy | Medium | Medium-Hard |
| Use Case | Small apps | APIs / SPAs | Social login |
When to Use What?
- Small app → Session
- Modern API / frontend → JWT
- Social login → OAuth
Many apps use combination (JWT + OAuth)
⚠️ Common Mistakes
- Storing JWT insecurely ❌
- Not setting expiry ❌
- Weak session management ❌
Security matters a lot here
Final Thought
Authentication looks simple on UI…
But behind the scenes:
It’s all about trust, identity, and security
As a developer:
Understanding this = real backend skill
Now next time you click “Login”…
You know exactly what’s happening