आधुनिक अनुप्रयोग विविध प्रमाणीकरण यंत्रणा वापरतात — session-आधारित, token-आधारित (JWT), आणि प्रतिनिधी प्रमाणीकरण (OAuth/OpenID Connect). प्रत्येक कसे कार्य करते आणि त्यांचे compromises काय आहेत हे समजणे हे सुरक्षित प्रमाणीकरण लागू करण्यासाठी महत्वाचे आहे.
Session-आधारित प्रमाणीकरण
SESSION-based (traditional):
→ user logs in → server creates a SESSION (stored server-side) → sends a session ID
cookie → the browser sends it with each request → server looks up the session
✓ server controls sessions (easy to revoke); simple; cookie auto-sent
✗ stateful (server stores sessions); scaling needs shared session storage
Token-आधारित (JWT)
JWT (JSON Web Token):
→ user logs in → server issues a SIGNED token containing claims (user id, etc.) →
client stores it → sends it (usually in an Authorization header) per request →
server VERIFIES the SIGNATURE (no server-side lookup needed)
✓ STATELESS (scales easily; no session store); works well for APIs/SPAs/mobile
✗ hard to REVOKE before expiry (it's self-contained) → use short expiry + refresh tokens
⚠️ store securely; don't put secrets in the (readable) payload; validate properly
