Every time someone asks me “should I use sessions or JWTs?”, I know what’s actually behind the question. They’ve read a few blog posts, seen the word “stateless” thrown around like it’s automatically better, and now they’re stuck. So let’s settle this properly - not with buzzwords, but with what’s actually happening on the wire and on your server.
Sessions: the “we keep a record at the front desk” approach Think of session-based auth like checking into a hotel. You show your ID once at the front desk, the staff verifies it, and they hand you a room key card. That card doesn’t contain your name, your passport number, or your booking details - it’s just a random number. The hotel’s computer system has all your actual information stored in their database, linked to that card number.
Every request you make to a website carries a small pile of metadata you never see. Headers. They decide whether your connection is encrypted, whether a page can be embedded in an iframe, which CDN edge served you, and whether the browser should remember a cookie for a year. I wanted to see what a real, busy production site sends, so I pointed curl at an Amazon endpoint and dumped the response headers. Turns out there’s a lot to unpack.