JWT vs Session-based authentication: khi nào dùng cái nào?

Session-based dễ revoke, cần Redis cho multi-server; JWT stateless dễ scale nhưng không thể revoke trước expiry — hybrid (short-lived JWT + server-side refresh token) là best practice 2025. Session-based: server lưu session data trong memory/Redis, client chỉ lưu session ID trong cookie.

Server stateful — phải lookup session mỗi request.
Ưu điểm: dễ revoke (xóa session), không expose user data, server kiểm soát hoàn toàn.
Nhược điểm: cần shared session store (Redis) cho multi-server, horizontal scaling phức tạp. JWT: server stateless, client lưu toàn bộ claims trong token.
Không cần DB lookup để verify (chỉ verify signature).
Ưu điểm: stateless → dễ scale, microservices có thể verify token mà không cần centralized auth.
Nhược điểm: không thể revoke trước khi expire (phải dùng blacklist = stateful), token size lớn hơn session ID.
Decision matrix: DÙNG Session khi: cần instant revocation (admin ban user, password change → invalidate tất cả sessions), single-server hoặc đã có Redis, traditional web app với form-based auth.
DÙNG JWT khi: microservices (service-to-service auth), public API cho mobile apps, SSO across multiple domains, cần stateless architecture.
Hybrid approach: JWT cho access (short-lived, 15min) + server-side session cho refresh tokens — best of both worlds.
Lưu ý: JWT không phải encryption — payload là base64, bất kỳ ai có token đều đọc được claims — không đặt sensitive data vào payload.

Sessions are easy to revoke but require Redis for multi-server; JWT is stateless and scales easily but cannot be revoked before expiry — the hybrid pattern (short-lived JWT + server-side refresh token) is the 2025 best practice. Session-based: server stores session data in memory/Redis, client only stores a session ID in a cookie.

Server is stateful — must look up the session on every request.
Advantages: easy to revoke (delete session), user data is not exposed, server has full control.
Disadvantages: requires a shared session store (Redis) for multi-server setups, more complex horizontal scaling. JWT: server is stateless, client stores all claims in the token.
No DB lookup needed to verify (just verify signature).
Advantages: stateless → easy to scale, microservices can verify tokens without a centralized auth service.
Disadvantages: cannot revoke before expiry (requires a blacklist = stateful), token size is larger than a session ID.
Decision matrix — USE Sessions when: instant revocation is needed (admin bans user, password changed → invalidate all sessions), single server or Redis already in use, traditional web app with form-based auth.
USE JWT when: microservices (service-to-service auth), public API for mobile apps, SSO across multiple domains, stateless architecture required.
Hybrid: JWT for access tokens (short-lived, 15min) + server-side session for refresh tokens — best of both worlds.

Pitfall: JWT is not encryption — the payload is base64, anyone with the token can read the claims — never put sensitive data in the payload.

Xem toàn bộ Bảo Mật cùng filter theo level & chủ đề con.

Mở danh sách Bảo Mật

JWT vs Session-based authentication: khi nào dùng cái nào?

Server stateful — phải lookup session mỗi request.
Ưu điểm: dễ revoke (xóa session), không expose user data, server kiểm soát hoàn toàn.
Nhược điểm: cần shared session store (Redis) cho multi-server, horizontal scaling phức tạp. JWT: server stateless, client lưu toàn bộ claims trong token.
Không cần DB lookup để verify (chỉ verify signature).
Ưu điểm: stateless → dễ scale, microservices có thể verify token mà không cần centralized auth.
Nhược điểm: không thể revoke trước khi expire (phải dùng blacklist = stateful), token size lớn hơn session ID.
Decision matrix: DÙNG Session khi: cần instant revocation (admin ban user, password change → invalidate tất cả sessions), single-server hoặc đã có Redis, traditional web app với form-based auth.
DÙNG JWT khi: microservices (service-to-service auth), public API cho mobile apps, SSO across multiple domains, cần stateless architecture.
Hybrid approach: JWT cho access (short-lived, 15min) + server-side session cho refresh tokens — best of both worlds.
Lưu ý: JWT không phải encryption — payload là base64, bất kỳ ai có token đều đọc được claims — không đặt sensitive data vào payload.

Server is stateful — must look up the session on every request.
Advantages: easy to revoke (delete session), user data is not exposed, server has full control.
Disadvantages: requires a shared session store (Redis) for multi-server setups, more complex horizontal scaling. JWT: server is stateless, client stores all claims in the token.
No DB lookup needed to verify (just verify signature).
Advantages: stateless → easy to scale, microservices can verify tokens without a centralized auth service.
Disadvantages: cannot revoke before expiry (requires a blacklist = stateful), token size is larger than a session ID.
Decision matrix — USE Sessions when: instant revocation is needed (admin bans user, password changed → invalidate all sessions), single server or Redis already in use, traditional web app with form-based auth.
USE JWT when: microservices (service-to-service auth), public API for mobile apps, SSO across multiple domains, stateless architecture required.
Hybrid: JWT for access tokens (short-lived, 15min) + server-side session for refresh tokens — best of both worlds.

Pitfall: JWT is not encryption — the payload is base64, anyone with the token can read the claims — never put sensitive data in the payload.

Xem toàn bộ Bảo Mật cùng filter theo level & chủ đề con.

Mở danh sách Bảo Mật