Skip to main content
HashnodeOnkar K | Full-Stack AI Engineering

Command Palette

Search for a command to run...

Session Based Auth System [state-full]

Updated
2 min read
Session Based Auth System [state-full]
O
Onkar K
Full-stack Ai Engineer
Part of seriesBack-end

  • Session based auth is traditional method of auth and it is state-full means we store sessions of user in memory or DB and share session_id to user to verity his identity

  • This method is gold standard for monolith application where front-end and back-end are served from same domain.

How it’s work

  1. Login - user submit their credential to server

  2. Verification and creation - if credential is correct against DB, it create a session in DB and generate a unique session_id

  3. Cookie - Server send back response with header of set_cookieincludes sesson_id

  4. Browser - it automatically store the cookie

  5. Subsequent request - in every future server request, browser attach cookie of session_id in header requests.

  6. Server validation - it pull the session_id from header cookie and look up in session storage if it matches then process the request.

Methods in session based auth

I said it earlier it is not idle for multi-server system, but there is practical methods to achieve this using following methods.

1. Replication of Session storage

Why we use this method ?

  • Incase of multi server user 1st login req. go to auth_server that create and save session in session_storage_DB-1

  • Because of load-balancer the next req. with session_id header is route to server-2 but it failed to validation because their session is not stored in session_storage_DB-2 it leads logout of user.

  • To resolve this issue we use replication session storage

How it’s works ?

When any one server creates or updates a session, it immediately broadcasts that change to the data-grid, which then updates all other servers.

Drawback

  • Memory overhead - each server contain all the session which consumes your all available RAM

  • Complexity - To keep server session up to date in Realtime is difficult

2. Centralized Session storage

why we use this method

  • It resolves memory overhead issue

  • To make system less complex

How it’s work?

Here we use common session_storage_DB for both servers can fetch and validate the session_id against single session_storage_DB

Drawback

Single Point of Failure: If the Session_storage_DB goes down, no one can log in

#session-based-authentication#authentication

Comments

Join the discussion

No comments yet. Be the first to comment.

Back-end

Part 2 of 3
Up next

Token Based Auth System [state-less]

In a token-based system, HS256 and RS256 are the two most common algorithms used to sign the token. 1. HS256 This method is mostly used in monolith application, where it only requires single key.

More from this blog

Onkar K | Full-Stack AI Engineering

19 posts

Production-grade GenAI & multi-agent apps with Next.js & TypeScript. Explore deep architectures using LangGraph.js, LangChain.js, and backends via Hono, Express, & Node.js. Master advanced RAG with Qdrant, Pinecone, and Redis caching. Track execution with Langfuse and LangSmith. Zero fluff—just type-safe code, terminal logs, and robust deployments with Docker, Kafka, and Kubernetes for modern builders