Session-based
The client logs into the server and gets a session id. The server caches all sessions to be able to verify them.
Client Server
| |
|--- POST /login { User, Pass } --->| Store session
Store SessionId |<----------- SessionId ------------|
| |
|--- GET /data { SessionId } ------>|
| |
|--- POST /logout { SessionId } --->| Remove session
Storage for the SessionId can either be a cookie, the local storage or the session storage.
Token-based
The client requests a token from a specific server and then uses this token to verify itself at the same or another server.
Client Auth-Server
| |
|--- POST /login { User, Pass } --->| Create Token
Store Token |<------------- Token --------------| Content-Server
| |
|------------------ GET /data { Token } ------------------->|
Storage for the Token can either be a cookie, the local storage or the session storage.