JWT comparison with the Session


What is the JWT


JSON Web Token (JWT) is an open standard (RFC 7519), which defines a compact and self-contained manner for the security between the parties as a JSON object information is transmitted. As a standard, it does not provide the technology, but most of the language platforms are in accordance with the provisions of its content provides its own technology, so in actual use it every time, as long as the technology platform based on their current project, the official website to choose the right the library can be achieved.


JWT use to transmit data, the transmission is actually a string that is called json web token string. Therefore broadly, JWT is a standard name; narrow sense, JWT means is used to pass that token string. This series has two characteristics:

    Compact: this refers to a string of small, through url parameters, data submitted and the http request http header way to pass;

    Self-contained: This string can contain a lot of information, such as user id, roles, others get this string, you can get these critical business information, in order to avoid further database query to get them through other means.


It consists of three parts: header (head), payload (payload), Signature (Signed), to be divided. (Originally only string line, where divided into three rows, but in order to distinguish the structure)

    header is used to declare the type (typ) and algorithm (alg).

    payload generally do not store some sensitive information such as user names, permissions and roles.

    Two strings obtained after sucked header and payload signature corresponding to the structure base64url json encoded spliced ​​together with English period number, and then generates a header out according to the signature algorithm specified inside alg.

And Session difference

Why do we want JWT Session and compare it? Because we mainly during each authentication request will be used JWT, before we are all using the Session. That’s where the difference between the two in it?

Meaning itself

Read previous reports, we found that in fact JWT string itself contains information about the user, such as user names, permissions and roles.

sessionId Session passed though a more simple string, but it does not mean anything.

So in general than sessionId JWT string length, if you JWT information stored longer, then JWT itself will be longer.

The Cookie storage capacity is limited (usually 4KB), so we need to pay attention when in use.

Analytical method

JWT’s header and payload fact, there is json change over, but the signature is actually an encrypted string, so it is relatively simple to resolve, no other auxiliary content.

sessionId is to identify the user object stored in the server, in theory require an additional map to find out the current user’s information.


Theoretically JWT for requesting stateless and therefore it is only dependent on user administration itself only. We usually join the expiration time in its payload, without additional management, it automatically expire only way.

Session This is because it is stored on the server side, so there are a lot of management programs, and most are very mature.


JWT itself to json-based, so it is easier to cross-platform, you can download the package from the official website of different platforms, resolved.

session cross-platform may not be so good to do, places to consider is that the user information stored in the format, ProtoBuf, json, xml, etc., then management may need dedicated unified sign-on platform, this will not start.


Once stateless JWT is generated, and the server will not have anything to do. Once the server in the data update, data stored in the JWT stateless due to lack of updated data becomes outdated.

session is not the same, sessionId itself is not much meaning, just modify the data can be stored on the server.

Applicable scene


The best use of disposable JWT authorization Token, the Token characteristics in this scenario are as follows:

    Short period

    Just want to be used once

Examples of real scene – file hosting service consists of two parts:

    Web Application: This is an application that can be logged in and maintain the state of the user, the user to select the file you want to download the application.

    File download services: stateless download services, allowing only by key download.

JWT how to use it in this scene?

    Users log on to the Web application, a good selection of file you want to download, click Download.

    Certification Service issues include download information, JWT has a short expiration time. The information contained in the JWT may be such that:

    "file": "/books/我这一辈子.pdf",
    "exp": 1500719759621

    JWT use the service to download files from the downloaded file.


Session session management more suitable for Web applications, is generally characterized by:

    Permissions and more, if JWT it will be very long length, is likely to break through the storage limitations of Cookie.

    Basic information likely to change. If a general background management system, will certainly involve personnel changes, then the authority will change accordingly, if JWT, it would need to be active server fails, so will originally have become stateless JWT state, It changed its intention.

to sum up

We use JWT, does not mean that you see it with new, but should consider its application scenario, if need be managed, consider using Session, after all, its program is more mature. If you want to find something new to explore and authors, please leave a comment below.

Are interested can follow my public number, maybe there will be surprises.

Leave a Reply