# Authentication & Authorization

Sometimes when the client need to get the resources from the server. they need to verify permission of the access first but this is hard for server to know who you are because `HTTP` protocol is stateless so we need to make it be stateful.

There are many way to do this

1. Token base
2. Sesssion base

JWT is the one of the most token base way that we use to create the authentication system. This mechanism we did not necessary to store any session in DB but we generate token that contain the information of user and attach it to http header throughout the connection occur. Additionaly JWT is more secure. It prevent modification of user data in token from Man in the middle (MITM) because of everytime the data is changed the token will be changed.

**Token Base**

<img src="/files/72V5kGdtz62xx3GC9mBf" alt="" class="gitbook-drawing">

**Advantage:**

1. Everytime client access to server, instead of query token for verification and get user information but it is able to use JWT to get the user information.
2. the server does not need to store any information about token like a session in DB

**Disadvantage:**

1. If token was stolen , the hacker can be access by using your token ( prevent by encrypt token and https)
2. When we logout the JWT token still can use for access the server (prevent by using backlist to store list of jwt token that be logout It like the session base way to implement it with cache)

**Conclusion**

To make the authorization system is more secure, you need to integrate advantage of session base and token base in some part of implment .


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://dev7days.gitbook.io/dev7days/fundamental/authentication-and-authorization.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.