100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace

Cookies vs Sessions vs JWT

Cookies vs sessions vs JWT compared — how each stores auth state, revocation and scaling trade-offs — with code and web development interview questions.

mediumQ2 of 224 in Web Development Est. time: 6 minsLast updated:
Open Code Lab

Expected Interview Answer

A cookie is a small piece of data the browser stores and sends back with each request; a session keeps user state on the server and uses a cookie holding only a session ID to look it up; a JWT is a self-contained, cryptographically signed token that carries the user’s claims so the server can verify it without any server-side storage.

Cookies are just a client-side storage and transport mechanism — sessions and JWTs both often ride inside them. Server-side sessions store the actual data (user id, roles) in server memory or a store like Redis, and the cookie carries only an opaque session id, which makes revocation easy but requires shared state across servers. A JWT is stateless: it packs the claims plus a signature, so any server with the secret can validate it without a lookup, which scales well but makes instant revocation harder and requires care to keep tokens small and short-lived.

  • Cookies: automatic, per-request transport handled by the browser
  • Sessions: easy revocation and small cookie payload
  • JWT: stateless verification, no server-side session store needed
  • JWT: works cleanly across services and APIs

AI Mentor Explanation

A cookie is like the wristband a spectator wears — it just carries an identifier back and forth. A session is like the ticket office keeping your full seat and access details on file while your wristband holds only a lookup number; staff check the file each time. A JWT is like a laminated pass printed with all your access rights and an official seal, so any gate can verify it on sight without phoning the office. Storage-only band, server-file lookup, versus self-contained sealed pass.

Step-by-Step Explanation

  1. Step 1

    Cookie = transport

    A small key-value the browser stores and auto-sends with each request to the same domain.

  2. Step 2

    Session = server state

    Server stores user data; the cookie carries only an opaque session id used to look it up.

  3. Step 3

    JWT = self-contained token

    Signed token holding the claims; any server with the secret verifies it without a store.

  4. Step 4

    Trade-off

    Sessions revoke easily but need shared state; JWTs scale statelessly but revoke slowly.

What Interviewer Expects

  • Cookie is transport/storage, not an auth strategy by itself
  • Session data lives server-side; cookie holds only the id
  • JWT is stateless and signed, verified without a lookup
  • Revocation and scaling trade-offs between sessions and JWT

Common Mistakes

  • Treating cookies and sessions as mutually exclusive alternatives
  • Storing sensitive data unencrypted inside a JWT thinking it is hidden
  • Assuming JWTs can be revoked as instantly as sessions
  • Forgetting HttpOnly/Secure/SameSite flags on auth cookies

Best Answer (HR Friendly)

A cookie is a small note the browser carries back to the site each time. A session keeps your details on the server and the cookie just holds a lookup key. A JWT is a signed pass that contains your details, so the server can trust it without looking anything up. Sessions are easy to cancel; JWTs scale better across servers.

Code Example

Session cookie vs JWT in Express
// Session: cookie carries only an opaque id; data lives server-side
req.session.userId = user.id // stored in Redis/memory
// Set-Cookie: sid=abc123; HttpOnly; Secure; SameSite=Lax

// JWT: signed token carries the claims, no server store needed
const jwt = require('jsonwebtoken')
const token = jwt.sign({ sub: user.id, role: user.role }, SECRET, { expiresIn: '15m' })
const claims = jwt.verify(token, SECRET) // validates signature, no DB lookup

Follow-up Questions

  • What do the HttpOnly, Secure and SameSite cookie flags do?
  • How do refresh tokens complement short-lived JWTs?
  • How would you revoke a JWT before it expires?
  • When would you prefer server-side sessions over JWTs?

MCQ Practice

1. In a server-side session, what does the browser cookie usually contain?

The cookie holds only an id used to look up the session data stored on the server.

2. A key advantage of a JWT over a server-side session is?

A JWT is self-contained and signed, so any server can verify it without a lookup.

3. Which flag stops JavaScript from reading an auth cookie?

HttpOnly makes a cookie inaccessible to document.cookie, reducing XSS token theft.

Flash Cards

What is a cookie?A small key-value the browser stores and auto-sends with each request; a transport mechanism.

Where does session data live?On the server (memory/Redis); the cookie carries only an opaque session id.

What is a JWT?A stateless, signed token carrying the user’s claims, verifiable without a server store.

Sessions vs JWT trade-off?Sessions revoke easily but need shared state; JWTs scale statelessly but revoke slowly.

1 / 4

Continue Learning