Understanding the differences between session-based authentication and token-based authentication is crucial for building secure Java applications. Each approach has distinct characteristics, use cases, and implementation patterns.
Core Concepts
Session-Based Authentication
- Stateful: Server maintains session state
- Cookie-based: Uses HTTP cookies to track sessions
- Server-side storage: Session data stored on server
- Traditional approach: Widely used in monolithic applications
Token-Based Authentication
- Stateless: No server-side session storage
- Token-based: Uses self-contained tokens (usually JWT)
- Client-side storage: Token stored on client side
- Modern approach: Preferred for APIs and microservices
Session-Based Authentication Implementation
Example 1: Traditional Servlet Session Management
@Controller
@RequestMapping("/auth/session")
public class SessionAuthController {
@PostMapping("/login")
public String login(@RequestParam String username,
@RequestParam String password,
HttpServletRequest request,
HttpSession session) {
// Authenticate user
User user = authenticate(username, password);
if (user == null) {
return "redirect:/login?error=true";
}
// Create session and store user information
session.setAttribute("user", user);
session.setAttribute("loginTime", System.currentTimeMillis());
session.setMaxInactiveInterval(30 * 60); // 30 minutes
// Set security context
SecurityContextHolder.getContext().setAuthentication(
new UsernamePasswordAuthenticationToken(user, null, user.getAuthorities())
);
return "redirect:/dashboard";
}
@GetMapping("/profile")
public String getProfile(HttpSession session) {
User user = (User) session.getAttribute("user");
if (user == null) {
return "redirect:/login";
}
return "profile";
}
@PostMapping("/logout")
public String logout(HttpServletRequest request) {
// Invalidate session
HttpSession session = request.getSession(false);
if (session != null) {
session.invalidate();
}
// Clear security context
SecurityContextHolder.clearContext();
return "redirect:/login?logout=true";
}
private User authenticate(String username, String password) {
// Implementation depends on your UserService
return userService.findByUsernameAndPassword(username, password);
}
}
// Session configuration
@Configuration
@EnableWebSecurity
public class SessionSecurityConfig {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.sessionManagement(session -> session
.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
.maximumSessions(1)
.maxSessionsPreventsLogin(false)
.expiredUrl("/login?expired=true")
)
.authorizeHttpRequests(auth -> auth
.requestMatchers("/public/**").permitAll()
.requestMatchers("/admin/**").hasRole("ADMIN")
.anyRequest().authenticated()
)
.formLogin(form -> form
.loginPage("/login")
.defaultSuccessUrl("/dashboard")
.failureUrl("/login?error=true")
.permitAll()
)
.logout(logout -> logout
.logoutUrl("/logout")
.logoutSuccessUrl("/login?logout=true")
.invalidateHttpSession(true)
.deleteCookies("JSESSIONID")
);
return http.build();
}
}
Example 2: Spring Session with Redis
@Configuration
@EnableRedisHttpSession
public class RedisSessionConfig {
@Bean
public LettuceConnectionFactory connectionFactory() {
return new LettuceConnectionFactory();
}
}
// Custom session repository
@Component
public class CustomSessionRepository {
private final FindByIndexNameSessionRepository<? extends Session> sessionRepository;
public CustomSessionRepository(FindByIndexNameSessionRepository<? extends Session> sessionRepository) {
this.sessionRepository = sessionRepository;
}
public void expireUserSessions(String username) {
Map<String, ? extends Session> userSessions =
sessionRepository.findByPrincipalName(username);
userSessions.values().forEach(session ->
sessionRepository.deleteById(session.getId()));
}
public List<SessionInfo> getUserActiveSessions(String username) {
return sessionRepository.findByPrincipalName(username).values().stream()
.map(session -> new SessionInfo(
session.getId(),
session.getCreationTime().toEpochMilli(),
session.getLastAccessedTime().toEpochMilli()
))
.collect(Collectors.toList());
}
}
// Session information DTO
public class SessionInfo {
private final String sessionId;
private final long creationTime;
private final long lastAccessTime;
// constructor, getters
}
Token-Based Authentication Implementation
Example 3: JWT Token Authentication
// JWT Utility class
@Component
public class JwtTokenUtil {
private final String secret = "your-secret-key";
private final long expiration = 86400000; // 24 hours
public String generateToken(UserDetails userDetails) {
Map<String, Object> claims = new HashMap<>();
claims.put("roles", userDetails.getAuthorities().stream()
.map(GrantedAuthority::getAuthority)
.collect(Collectors.toList()));
return Jwts.builder()
.setClaims(claims)
.setSubject(userDetails.getUsername())
.setIssuedAt(new Date(System.currentTimeMillis()))
.setExpiration(new Date(System.currentTimeMillis() + expiration))
.signWith(SignatureAlgorithm.HS512, secret)
.compact();
}
public boolean validateToken(String token, UserDetails userDetails) {
final String username = extractUsername(token);
return (username.equals(userDetails.getUsername()) && !isTokenExpired(token));
}
public String extractUsername(String token) {
return extractClaim(token, Claims::getSubject);
}
public Date extractExpiration(String token) {
return extractClaim(token, Claims::getExpiration);
}
private <T> T extractClaim(String token, Function<Claims, T> claimsResolver) {
final Claims claims = extractAllClaims(token);
return claimsResolver.apply(claims);
}
private Claims extractAllClaims(String token) {
return Jwts.parser()
.setSigningKey(secret)
.parseClaimsJws(token)
.getBody();
}
private boolean isTokenExpired(String token) {
return extractExpiration(token).before(new Date());
}
}
// JWT Authentication Filter
@Component
public class JwtAuthenticationFilter extends OncePerRequestFilter {
private final JwtTokenUtil jwtTokenUtil;
private final UserDetailsService userDetailsService;
@Override
protected void doFilterInternal(HttpServletRequest request,
HttpServletResponse response,
FilterChain chain) throws ServletException, IOException {
final String requestTokenHeader = request.getHeader("Authorization");
String username = null;
String jwtToken = null;
// JWT Token is in the form "Bearer token"
if (requestTokenHeader != null && requestTokenHeader.startsWith("Bearer ")) {
jwtToken = requestTokenHeader.substring(7);
try {
username = jwtTokenUtil.extractUsername(jwtToken);
} catch (Exception e) {
logger.warn("JWT Token validation failed");
}
}
// Validate token
if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) {
UserDetails userDetails = this.userDetailsService.loadUserByUsername(username);
if (jwtTokenUtil.validateToken(jwtToken, userDetails)) {
UsernamePasswordAuthenticationToken authentication =
new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities());
authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
SecurityContextHolder.getContext().setAuthentication(authentication);
}
}
chain.doFilter(request, response);
}
}
Example 4: Token-Based Authentication Controller
@RestController
@RequestMapping("/auth/token")
public class TokenAuthController {
private final AuthenticationManager authenticationManager;
private final JwtTokenUtil jwtTokenUtil;
private final UserDetailsService userDetailsService;
private final RefreshTokenService refreshTokenService;
@PostMapping("/login")
public ResponseEntity<?> login(@RequestBody LoginRequest loginRequest) {
try {
Authentication authentication = authenticationManager.authenticate(
new UsernamePasswordAuthenticationToken(
loginRequest.getUsername(),
loginRequest.getPassword()
)
);
SecurityContextHolder.getContext().setAuthentication(authentication);
UserDetails userDetails = (UserDetails) authentication.getPrincipal();
String accessToken = jwtTokenUtil.generateToken(userDetails);
RefreshToken refreshToken = refreshTokenService.createRefreshToken(userDetails.getUsername());
return ResponseEntity.ok(new JwtResponse(
accessToken,
refreshToken.getToken(),
userDetails.getUsername(),
userDetails.getAuthorities().stream()
.map(GrantedAuthority::getAuthority)
.collect(Collectors.toList())
));
} catch (BadCredentialsException e) {
return ResponseEntity.status(HttpStatus.UNAUTHORIZED)
.body(new ErrorResponse("Invalid credentials"));
}
}
@PostMapping("/refresh")
public ResponseEntity<?> refreshToken(@RequestBody RefreshTokenRequest request) {
String requestRefreshToken = request.getRefreshToken();
return refreshTokenService.findByToken(requestRefreshToken)
.map(refreshTokenService::verifyExpiration)
.map(RefreshToken::getUser)
.map(user -> {
String accessToken = jwtTokenUtil.generateToken(user);
return ResponseEntity.ok(new JwtRefreshResponse(accessToken, requestRefreshToken));
})
.orElseThrow(() -> new TokenRefreshException(requestRefreshToken, "Refresh token not found"));
}
@PostMapping("/logout")
public ResponseEntity<?> logout(@RequestBody LogoutRequest logoutRequest) {
refreshTokenService.deleteByUserId(logoutRequest.getUserId());
return ResponseEntity.ok(new MessageResponse("Logout successful"));
}
@GetMapping("/validate")
public ResponseEntity<?> validateToken(@RequestHeader("Authorization") String authHeader) {
if (authHeader != null && authHeader.startsWith("Bearer ")) {
String token = authHeader.substring(7);
try {
String username = jwtTokenUtil.extractUsername(token);
UserDetails userDetails = userDetailsService.loadUserByUsername(username);
if (jwtTokenUtil.validateToken(token, userDetails)) {
return ResponseEntity.ok(new ValidationResponse(true, username));
}
} catch (Exception e) {
// Token validation failed
}
}
return ResponseEntity.ok(new ValidationResponse(false, null));
}
}
// DTO classes
public class LoginRequest {
private String username;
private String password;
// getters, setters
}
public class JwtResponse {
private String accessToken;
private String refreshToken;
private String type = "Bearer";
private String username;
private List<String> roles;
// constructor, getters
}
public class RefreshTokenRequest {
private String refreshToken;
// getters, setters
}
Security Configuration Comparison
Example 5: Session vs Token Security Config
// Session-based Security Configuration
@Configuration
@EnableWebSecurity
public class SessionSecurityConfiguration {
@Bean
public SecurityFilterChain sessionFilterChain(HttpSecurity http) throws Exception {
http
.csrf(csrf -> csrf.disable())
.sessionManagement(session -> session
.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
.maximumSessions(1)
.sessionRegistry(sessionRegistry())
)
.authorizeHttpRequests(auth -> auth
.requestMatchers("/api/public/**").permitAll()
.anyRequest().authenticated()
)
.formLogin(form -> form
.loginPage("/login")
.permitAll()
)
.logout(logout -> logout
.logoutUrl("/logout")
.logoutSuccessUrl("/login?logout=true")
.invalidateHttpSession(true)
.deleteCookies("JSESSIONID")
);
return http.build();
}
@Bean
public SessionRegistry sessionRegistry() {
return new SessionRegistryImpl();
}
}
// Token-based Security Configuration
@Configuration
@EnableWebSecurity
public class TokenSecurityConfiguration {
private final JwtAuthenticationFilter jwtAuthenticationFilter;
@Bean
public SecurityFilterChain tokenFilterChain(HttpSecurity http) throws Exception {
http
.csrf(csrf -> csrf.disable())
.sessionManagement(session -> session
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
)
.authorizeHttpRequests(auth -> auth
.requestMatchers("/auth/token/login").permitAll()
.requestMatchers("/auth/token/refresh").permitAll()
.requestMatchers("/api/public/**").permitAll()
.anyRequest().authenticated()
)
.addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class)
.exceptionHandling(exceptions -> exceptions
.authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED))
);
return http.build();
}
@Bean
public AuthenticationManager authenticationManager(AuthenticationConfiguration config) throws Exception {
return config.getAuthenticationManager();
}
}
Performance and Scalability Comparison
Example 6: Performance Testing
@SpringBootTest
@AutoConfigureTestDatabase
class AuthPerformanceTest {
@Autowired
private WebTestClient webTestClient;
@Autowired
private UserRepository userRepository;
@Test
void performanceComparison() {
// Setup test data
User user = new User("testuser", "password", "ROLE_USER");
userRepository.save(user);
// Test session-based authentication
long sessionStartTime = System.currentTimeMillis();
for (int i = 0; i < 100; i++) {
testSessionAuth();
}
long sessionEndTime = System.currentTimeMillis();
// Test token-based authentication
String token = obtainToken();
long tokenStartTime = System.currentTimeMillis();
for (int i = 0; i < 100; i++) {
testTokenAuth(token);
}
long tokenEndTime = System.currentTimeMillis();
System.out.println("Session auth time: " + (sessionEndTime - sessionStartTime) + "ms");
System.out.println("Token auth time: " + (tokenEndTime - tokenStartTime) + "ms");
}
private void testSessionAuth() {
webTestClient.post().uri("/auth/session/login")
.bodyValue("username=testuser&password=password")
.exchange()
.expectStatus().is3xxRedirection();
}
private String obtainToken() {
return webTestClient.post().uri("/auth/token/login")
.bodyValue(new LoginRequest("testuser", "password"))
.exchange()
.returnResult(JwtResponse.class)
.getResponseBody()
.blockFirst()
.getAccessToken();
}
private void testTokenAuth(String token) {
webTestClient.get().uri("/api/protected")
.header("Authorization", "Bearer " + token)
.exchange()
.expectStatus().isOk();
}
}
Comprehensive Comparison Table
| Aspect | Session-Based Authentication | Token-Based Authentication |
|---|---|---|
| State Management | Stateful (server stores session) | Stateless (token contains all data) |
| Storage | Server-side (memory, Redis, database) | Client-side (localStorage, cookies) |
| Scalability | Requires session replication/sticky sessions | Horizontally scalable |
| Performance | Database lookup for each request | Token validation only |
| Mobile Support | Limited (cookies not ideal) | Excellent (tokens work well) |
| Cross-Domain | Requires CORS configuration | Built-in support |
| Security | CSRF protection needed | XSS protection needed |
| Implementation | Simpler for traditional web apps | Better for APIs/SPAs |
| Logout | Immediate (session destruction) | Token remains valid until expiration |
Best Practices and Recommendations
Session-Based Authentication Best Practices
@Component
public class SessionSecurityBestPractices {
// Secure session configuration
@Bean
public ServletWebServerFactory servletContainer() {
TomcatServletWebServerFactory tomcat = new TomcatServletWebServerFactory();
tomcat.addContextCustomizers(context -> {
context.setSessionTimeout(30); // minutes
context.setSessionCookieName("APP_SESSION");
context.setUseHttpOnly(true);
context.setSecure(true); // HTTPS only
});
return tomcat;
}
// Session fixation protection
@Bean
public HttpSessionIdResolver httpSessionIdResolver() {
return HeaderHttpSessionIdResolver.xAuthToken();
}
}
// Session management service
@Service
public class SessionManagementService {
private final SessionRegistry sessionRegistry;
public void expireUserSessions(String username) {
List<Object> principals = sessionRegistry.getAllPrincipals();
for (Object principal : principals) {
if (principal instanceof User) {
User user = (User) principal;
if (user.getUsername().equals(username)) {
List<SessionInformation> sessions = sessionRegistry.getAllSessions(user, false);
for (SessionInformation session : sessions) {
session.expireNow();
}
}
}
}
}
}
Token-Based Authentication Best Practices
@Service
public class TokenManagementService {
private final JwtTokenUtil jwtTokenUtil;
private final BlacklistTokenRepository blacklistRepository;
public void revokeToken(String token) {
// Add to blacklist until expiration
Date expiration = jwtTokenUtil.extractExpiration(token);
BlacklistedToken blacklistedToken = new BlacklistedToken(token, expiration);
blacklistRepository.save(blacklistedToken);
}
public boolean isTokenRevoked(String token) {
return blacklistRepository.existsByToken(token);
}
public void cleanExpiredBlacklistedTokens() {
blacklistRepository.deleteByExpiryDateBefore(new Date());
}
}
// Secure token storage
@Component
public class TokenStorageService {
public void storeToken(HttpServletResponse response, String token) {
// Secure cookie storage
ResponseCookie cookie = ResponseCookie.from("access_token", token)
.httpOnly(true)
.secure(true)
.path("/")
.maxAge(Duration.ofHours(24))
.sameSite("Strict")
.build();
response.addHeader(HttpHeaders.SET_COOKIE, cookie.toString());
}
public void clearToken(HttpServletResponse response) {
ResponseCookie cookie = ResponseCookie.from("access_token", "")
.httpOnly(true)
.secure(true)
.path("/")
.maxAge(0)
.build();
response.addHeader(HttpHeaders.SET_COOKIE, cookie.toString());
}
}
Hybrid Approach
Example 7: Session with Token Enhancement
@Service
public class HybridAuthService {
public HybridAuthResponse login(LoginRequest request, HttpSession session) {
// Traditional session creation
User user = authenticate(request.getUsername(), request.getPassword());
session.setAttribute("user", user);
// Generate token for API calls
String apiToken = jwtTokenUtil.generateToken(user);
return new HybridAuthResponse(apiToken, session.getId());
}
public boolean validateApiToken(String token, HttpSession session) {
try {
String username = jwtTokenUtil.extractUsername(token);
User sessionUser = (User) session.getAttribute("user");
return sessionUser != null &&
sessionUser.getUsername().equals(username) &&
jwtTokenUtil.validateToken(token, sessionUser);
} catch (Exception e) {
return false;
}
}
}
Conclusion
When to Use Session-Based Authentication:
- Traditional web applications with server-side rendering
- Simple applications without complex scalability requirements
- When you need immediate logout capability
- Applications requiring strict session control
When to Use Token-Based Authentication:
- SPA (Single Page Applications) and mobile apps
- Microservices architecture and APIs
- Cross-domain applications
- Scalable systems requiring horizontal scaling
- Third-party integrations (OAuth, OpenID Connect)
Key Takeaways:
- Sessions are simpler for traditional web apps but harder to scale
- Tokens are better for modern applications and APIs but require careful security implementation
- Consider your application architecture and requirements before choosing
- Security considerations differ significantly between approaches
- Hybrid approaches can provide the benefits of both in some scenarios
The choice between session and token authentication depends on your specific use case, architecture requirements, and security considerations. Both approaches are valid when implemented correctly with appropriate security measures.