Skip to main content

Stateful & Stateless Authentication

    In this article, I will explain Stateful and Stateless authentication with some real-time and technical examples and their advantage and disadvantage. I’m going to explain how I understand Stateful and Stateless authentication by developing PHP and nodeJs applications in the back-end.

What Stateful Authentication means:

    Once the user gets authenticated by the server after verifying credentials, user information gets stored in the server for further authorization from the same user.
User session data are stored in the back-end server by any one way like server filesystem, database or cache or any other way in back-end server itself.

What Stateless Authentication means:

    Once the user gets authenticated by the server after verifying credentials. For further authorization for the same user. The server will create a token and send it to the client machine. It gets stored in cookies or local storage or any other way in the client machine.

The client has to send the token with the further request to the server.

How Stateful Working :

    We already explained that what stateful means.

   Let us take a PHP session as an example to understand stateful authentication:

 

PHP code output

We can see that PHP has set a cookie in browser.

name: PHPSESSID

value: 0s857r2n83s8cjmklv8l6n7ja6

that value is randomly generated unique file name stored in backend server.

In our case, PHP will store session in XAMPP filesystem in location C:\xampp\tmp.

Session in filesystem

Whenever clients send further request. It will send it with cookie(PHPSESSID). Server will fetch session data in filesystem by identifying with the help of cookie value file name(sess_{PHPSESSID_COOKIE_VALUE}).

session data in tmp file.

From the above example you can understand that how stateful session are maintained in server.

There is no need for session to be maintained in filesystem. It can be in database or cache too.

Statefull Authentication Flow

Advantages:

  • Session data only accessible to server
  • Easy to modify and easy to add additional session information: If we want to add additional session information like email_id. it can be easily done.
  • Less vulnerable to attack if session hijacking is mitigated.
  • Easily revocable: Deleting the session data in server will immediately revoke the session access.

Disadvantages:

  • Takes so much server memory: For just saving userid and username in PHP code it takes 1KB of memory. Suppose If the application like facebook which has 2 billion of active user/day. We need 2TB of memory just for session storage.
  • Not able to scale horizontally: If we add another machine to handle our server request. We need to share session data to other machine or need to send request to corresponding server which stored the session.
  • Not able to implement SSO in your application easily.

How Stateless working:

    Stateless means session data are not stored in server. It will be given to client instead.

Lets take an stateless JWT auth in PHP as an example

 

access token in cookie

token can be stored in client side like localstorage.

You can visit https://jwt.io. paste the below token and you can see the auth payload. For this reason we cant store sensitive information in token like session.

token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoxMjEsInVzZXJfbmFtZSI6ImFnaGlsYW5iYXNrYXIifQ.jIbdRgbau6pCslDucbbr7pAlf9vMjvvBvKZY0oW9g2o

Token data
Stateless auth flow

Advantages:

  • Takes negligible server memory: In stateless auth, there is a concept called refresh token for revoking the token. so it takes some negligible space in the database for every user.
  • Easy to scale horizontally: Easy to add another machine to handle our server request.
  • Easy to implement SSO /OAuth in your application.

Disadvantages:

  • Token data is also accessible to the client: The client machine can easily see the payload data in it. So sensitive information can’t be stored in the token as we stored it in a session.
  • Not easy to modify and easy to add additional session information: If we want to add additional user information like email_id. it cannot be easily done. we have to wait until the current access token expires or we have to write additional logic to update the new token with additional info in the payload.
  • vulnerable to attack: As the token is stored in client-side. An attacker may try to identify token secret keys by anyways like brute-force or any other method. So we have to design a solid token-based authentication in our back-end with refresh token logic and periodic token secret key change needed for better security for large-scale applications.
  • Not Easily revocable: If we have created a token that expires after 2 hours. We cant revoke that token until the next 2 hours

Conclusion:

In this article, I have tried my best to explain the difference between stateful and stateless authentication. Hope it will help you.

Labels:

Popular posts from this blog

DNS —Introduction & Tutorial

In this tutorial, I will explain what DNS is and How DNS works? How to configure DNS?. It will help you understand how DNS works under the hood and solve DNS related issues in your server and configure DNS for you. DNS: DNS(Domain Name System) is an internet system used to identify a machine/server(IP address) in the world. For example, if we type www.google.com or www.amazon.com in our browser. DNS resolver will help us by sending back the IP address of www.google.com  — 142.251.40.196. So the browser will send the HTTP request to 142.251.40.196 IP address to get the response from the server and render it in our in the browser. How DNS works: I have created an image to explain how DNS works. How DNS get resolved Whenever we type a domain name or send an API request to a domain., The browser has to identify the respective IP address of the machine to send HTTP requests. The browser doesn’t have any functionality implemented to get the IP address. But with the help of a DNS resolv...
Post a Comment
Read more