आधुनिक एप्लिकेशन विभिन्न ऑथेंटिकेशन तंत्रों का उपयोग करते हैं — session-आधारित, token-आधारित (JWT), और delegated ऑथेंटिकेशन (OAuth/OpenID Connect)। प्रत्येक कैसे काम करता है, और उनके trade-offs को समझना सुरक्षित ऑथेंटिकेशन लागू करने के लिए महत्वपूर्ण है।
Session-आधारित ऑथेंटिकेशन
SESSION-based (traditional):
→ user logs in → server creates a SESSION (stored server-side) → sends a session ID
cookie → the browser sends it with each request → server looks up the session
✓ server controls sessions (easy to revoke); simple; cookie auto-sent
✗ stateful (server stores sessions); scaling needs shared session storage
Token-आधारित (JWT)
JWT (JSON Web Token):
→ user logs in → server issues a SIGNED token containing claims (user id, etc.) →
client stores it → sends it (usually in an Authorization header) per request →
server VERIFIES the SIGNATURE (no server-side lookup needed)
✓ STATELESS (scales easily; no session store); works well for APIs/SPAs/mobile
✗ hard to REVOKE before expiry (it's self-contained) → use short expiry + refresh tokens
⚠️ store securely; don't put secrets in the (readable) payload; validate properly
