Token is used for authentication, what is session used for?

Using JWT for user authentication and authorization, with Session playing a supportive role to some extent. Let’s discuss in detail the respective roles of JWT and Session in this combination mode and why Session is needed.

The role of JWT

• Additional security layer: Even though JWT is stateless, in some application scenarios, relying solely on JWT may have some security issues, such as token leakage or abuse. The session can serve as an additional layer of security, ensuring that even if the token is valid, the corresponding session must exist in the server’s session manager.
• Manage the lifecycle of tokens: Through the Session, it is more convenient to manage the lifecycle of tokens, such as forcing users to log in again, manually logging out of tokens, and other operations.
• Control the ‘Remember Me’ function: If the user selects the “Remember Me” option, the Session can record this status and decide whether to continue using the old Token after the JWT expires through the Session.

Why do we need to create a session

In this scenario, JWT is used for stateless user authentication, providing convenience and scalability; Session serves as an auxiliary, providing additional security and state management. Through this combination, the advantages of both can be fully utilized to ensure that the system has both high scalability and detailed security control.