Cookies vs Sessions vs JWT
Cookies vs sessions vs JWT compared — how each stores auth state, revocation and scaling trade-offs — with code and web development interview questions.
Expected Interview Answer
A cookie is a small piece of data the browser stores and sends back with each request; a session keeps user state on the server and uses a cookie holding only a session ID to look it up; a JWT is a self-contained, cryptographically signed token that carries the user’s claims so the server can verify it without any server-side storage.
Cookies are just a client-side storage and transport mechanism — sessions and JWTs both often ride inside them. Server-side sessions store the actual data (user id, roles) in server memory or a store like Redis, and the cookie carries only an opaque session id, which makes revocation easy but requires shared state across servers. A JWT is stateless: it packs the claims plus a signature, so any server with the secret can validate it without a lookup, which scales well but makes instant revocation harder and requires care to keep tokens small and short-lived.
- Cookies: automatic, per-request transport handled by the browser
- Sessions: easy revocation and small cookie payload
- JWT: stateless verification, no server-side session store needed
- JWT: works cleanly across services and APIs
AI Mentor Explanation
A cookie is like the wristband a spectator wears — it just carries an identifier back and forth. A session is like the ticket office keeping your full seat and access details on file while your wristband holds only a lookup number; staff check the file each time. A JWT is like a laminated pass printed with all your access rights and an official seal, so any gate can verify it on sight without phoning the office. Storage-only band, server-file lookup, versus self-contained sealed pass.
Step-by-Step Explanation
Step 1
Cookie = transport
A small key-value the browser stores and auto-sends with each request to the same domain.
Step 2
Session = server state
Server stores user data; the cookie carries only an opaque session id used to look it up.
Step 3
JWT = self-contained token
Signed token holding the claims; any server with the secret verifies it without a store.
Step 4
Trade-off
Sessions revoke easily but need shared state; JWTs scale statelessly but revoke slowly.
What Interviewer Expects
- Cookie is transport/storage, not an auth strategy by itself
- Session data lives server-side; cookie holds only the id
- JWT is stateless and signed, verified without a lookup
- Revocation and scaling trade-offs between sessions and JWT
Common Mistakes
- Treating cookies and sessions as mutually exclusive alternatives
- Storing sensitive data unencrypted inside a JWT thinking it is hidden
- Assuming JWTs can be revoked as instantly as sessions
- Forgetting HttpOnly/Secure/SameSite flags on auth cookies
Best Answer (HR Friendly)
“A cookie is a small note the browser carries back to the site each time. A session keeps your details on the server and the cookie just holds a lookup key. A JWT is a signed pass that contains your details, so the server can trust it without looking anything up. Sessions are easy to cancel; JWTs scale better across servers.”
Code Example
// Session: cookie carries only an opaque id; data lives server-side
req.session.userId = user.id // stored in Redis/memory
// Set-Cookie: sid=abc123; HttpOnly; Secure; SameSite=Lax
// JWT: signed token carries the claims, no server store needed
const jwt = require('jsonwebtoken')
const token = jwt.sign({ sub: user.id, role: user.role }, SECRET, { expiresIn: '15m' })
const claims = jwt.verify(token, SECRET) // validates signature, no DB lookupFollow-up Questions
- What do the HttpOnly, Secure and SameSite cookie flags do?
- How do refresh tokens complement short-lived JWTs?
- How would you revoke a JWT before it expires?
- When would you prefer server-side sessions over JWTs?
MCQ Practice
1. In a server-side session, what does the browser cookie usually contain?
The cookie holds only an id used to look up the session data stored on the server.
2. A key advantage of a JWT over a server-side session is?
A JWT is self-contained and signed, so any server can verify it without a lookup.
3. Which flag stops JavaScript from reading an auth cookie?
HttpOnly makes a cookie inaccessible to document.cookie, reducing XSS token theft.
Flash Cards
What is a cookie? — A small key-value the browser stores and auto-sends with each request; a transport mechanism.
Where does session data live? — On the server (memory/Redis); the cookie carries only an opaque session id.
What is a JWT? — A stateless, signed token carrying the user’s claims, verifiable without a server store.
Sessions vs JWT trade-off? — Sessions revoke easily but need shared state; JWTs scale statelessly but revoke slowly.