Modern applications suna amfani da wasu hanyoyin gida — session-based, token-based (JWT), da delegated authentication (OAuth/OpenID Connect). Fahimta yadda kowanne ya aiki, da yadda aka iya amfani da su, yana da mahimmanci don aiwatar da gida mai tsaro.
Session-based authentication
text
SESSION-based (traditional):
→ user logs in → server creates a SESSION (stored server-side) → sends a session ID
cookie → the browser sends it with each request → server looks up the session
✓ server controls sessions (easy to revoke); simple; cookie auto-sent
✗ stateful (server stores sessions); scaling needs shared session storage
Token-based (JWT)
text
JWT (JSON Web Token):
→ user logs in → server issues a SIGNED token containing claims (user id, etc.) →
client stores it → sends it (usually in an Authorization header) per request →
server VERIFIES the SIGNATURE (no server-side lookup needed)
✓ STATELESS (scales easily; no session store); works well for APIs/SPAs/mobile
✗ hard to REVOKE before expiry (it's self-contained) → use short expiry + refresh tokens
⚠️ store securely; don't put secrets in the (readable) payload; validate properly