authenticationandauthorization

Sessions Based Authentication

Shayan Danish's photo
Shayan Danish
·

2 min read

When discussing authentication, mainly the popular ones are Session-based, token-based and OAuth Authentication. Let’s dive deeper into the session based.

Session Based:

Keeping it simple, there is a DATABASE ONLY FOR storing ALL of the user’s information (id, name, address, phone, ….). As a user when we navigate to the web and sign in, our important credentials (email & password) are passed from CLIENT(browser) to SERVER(backend).

After that, server retrieves the info given; from the DATABASE, matching the given parameters in the DATABASE there are two possibilities. If no record found so you know user is asked to login again, but if the info matches, so SERVER creates a session for that user. While server creates the session, it passes the SESSION ID to the client for reference.

Now, the SESSION is actually developed to ensure authenticity of the user logged-in, so that if someone entered correct credentials they can access the resources with ease. The SESSION ID passed is actually used by the client. Whenever CLIENT requests the SERVER, it passes the SESSION ID(Which client actually store in the browser cookie). For each request, server just recognise that this is the same user who logged-in earlier so let them access the resources allocated.

If you are thinking that where the SESSION ID is used to grant access to the user, so I appreciate your proactiveness and attention. The SERVER has some special memory allocated for the SESSION INFO, called SERVER MEMORY(RAM: This is in-memory storage used to store SESSION INFO temporarily for fast access). Which matches SESSION ID from the CLIENT with the already stored SESSION INFO and determines ACCESSIBILITY. Although, if user logs out so the SESSION INFO is deleted to ensure the authenticity and security. Also SESSION INFO can be deleted automatically depending upon if there are some limitations of SESSION TIME PERIOD by the SERVER.

BUT the SERVER MEMORY is enough with respect to storage but not for SCALABILITY [FOR LARGE SYSTEMS]. Redis isn't mandatory for session management but is highly beneficial in distributed or high-load environments. Redis boosts performance by making critical data instantly accessible in memory, complementing the server's overall RAM usage without replacing the primary database. The server memory (RAM) is inherently in-memory storage, and Redis is an in-memory database service that typically runs in RAM, either on the same server or separate servers, depending on system requirements.

In short, Redis is an in-memory database service, typically runs in RAM and can be hosted on the same server or separate servers in a distributed setup. Redis is valuable because it provides additional features and optimizations on top of raw server memory that make it more useful for applications.

authenticationauthorizationSessionsession management