Menu

β„Ή️ What is JBoss? What is JBoss Domain Management ? πŸ› ️ Install JBOSS-EAP 6.4 πŸ“œ Start & Stop JBOSS script. πŸš€ Application Deployment Methods - 1. πŸš€ Application Deployment Methods - 2. πŸš€ Application Deployment Methods - 3. ⚙️ Multiple Instance of JBoss EAP. πŸ” SSL on JBOSS EAP. 🧰 WINDOWS service for JBOSS EAP. πŸ› ️ JBoss EAP 7 - DOMAIN Installation. πŸš€ DOMAIN DEPLOYMENT - GUI MODE. πŸ” SSL on JBOSS 7.1 Admin console & Application. 🌐 Apache mod_jk HTTP Connector - JBOSS AS 7.1 🌐 Apache Configure mod_proxy as load balancer (LB)- JBoss 7.1 🧯 Issue SocketTimeoutException 🧰 JBoss-Remote JMX Connection (jvisualvm) 🌐 Apache Mod Cluster as load balancer (LB) - JBoss 6.4 🧯 Out of space in CodeCache 🧯 java.sql.SQLRecoverableException: Closed Connection 🧯 sun.security.provider.certpath.SunCertPathBuilderException πŸ“ˆ JBOSS EAP 6 TO 7 Migration πŸ” Host Header injection on JBOSS EAP 7.2 πŸ” Encrypting Datasource Passwords using Vault in JBOSS
β„Ή️ Some useful links of IBM. πŸ› ️ WAS Installation using command line. πŸ› ️ Installing Suppliments (IHS/Plugins/WCT) command line. πŸ› ️ Uninstalling Suppliments (IHS/Plugins/WCT) command line. πŸ“ˆ Installing fix-pack using command line. β„Ή️ Profiles in WebSphere® Application Server ND. πŸ“œ WebSphere Profiles list & Basics Commands πŸ› ️ Commands for Custom / Application server / Dmgr Profiles πŸ› ️ Creating WAS-ND Cluster using GUI MODE. πŸš€ Application Deployment on WAS-ND - Cluster Env. πŸ“œ Analyze - JVM logs. 🧰 What is MustGather script ? 🧯 PsList to troubleshoot high CPU usage in Windows πŸ› ️ WebSphere App Server - Updating ports in existing profiles πŸ› ️ Installation Manager (IM) on non-default location πŸ› ️ Websphere Base or ND Installation using Command πŸ“ˆ Install or Update FIXPACK on WebSphere 8.5.+ πŸ› ️ Install SDK 8.0 on Websphere 8.5.5.9+ using Command method. πŸ› ️ How to Create a Clone of any profiles on WAS. πŸ› ️ Installation Manager (IM) on non-Administrator user. πŸ› ️ WebSphere Application Server 7.0.0.X & FIXPACK install / Update on the non-default location. πŸ“ˆ WebSphere ND Migration 7.0 to 8.0 / 9.0 πŸ› ️ IBM WebSphere 9.0.0.0 and IHS (IBM HTTP SERVR) Installation with Fixapck using Command Line (non-root) user
πŸ› ️ Configure IHS (IBM HTTP Server) with WAS 8.5.X.X. πŸ› ️ Multiple IHS in front of WAS (On Single Install). πŸ“Š Monitor IBM HTTP Server connections. πŸ” Self-signed Cert using ikeyman tool. πŸ” Self-Signed Cert using command line. πŸ” Decrypt Stash File.
🌐 Apache HTTP Server β„Ή️ HTTP STATUS CODES πŸ“œ Apache Rewrite Rules πŸ› ️ How to configure Apache MPM. πŸ› ️ Install Apache HTTP Server 2.4.27 ver. on LINUX πŸ› ️ Apache Tomcat - 9.0.0.M21 Installation on WIN 🌐 Apache mod_jk HTTP Connector - JBOSS AS 7.1 🌐 Apache Configure mod_proxy as load balancer (LB)- JBoss 7.1 🧯 Apache error : Server ran out of threads to serve requests (Windows) 🌐 Apache Mod Cluster as load balancer (LB) - JBoss 6.4 🌐 Redirect traffic during maintenance 🧯 httpd (Apache) Error: systemd-tty-ask-password-agent tool! πŸ” SSL certificate supports Weak Ciphers πŸ” How to install opensource mod_security on Apache 2.4 πŸ“ˆ How to upgrade opensource apache from 2.4.39 to 2.4.46 (Minor Version Upgrade). πŸ› ️ What is Nginx & How to install on RHEL πŸ› ️ Install Nginx plus on RHEL 7.4 / UNIX πŸ“Š Monitor Apache httpd process/thread status πŸ“Š Monitor Apache httpd ModJK status πŸ“Š Monitor Apache httpd Proxy balancer-manager status πŸ“Š Monitoring of JBoss servers through Nagios.
πŸ›‘️ Tomcat ghostcat vulnerability (JBoss /Tomcat) πŸ›‘️ SSL certificate supports Weak Ciphers/Encoding (3DES) (Apache 2.4) πŸ›‘️ SSL Medium Strength Cipher Suites Supported (SWEET32) [Tomcat Server] πŸ›‘️ ETag vulnerability & X-Powered-By : jsp/2.2 πŸ›‘️ Missing Security Header(x-xss-protection) & Clickjacking πŸ›‘️ Disable HTTP TRACE / TRACK / OPTIONS/DELETE Method. πŸ›‘️ Information disclosure through server response headers Apache-Coyote & X-Powered-By (JBoss) πŸ›‘️ Local File Inclusion Vulnerabilities OR Directory traversal attack πŸ›‘️ HTTP Host Header Injection (Apache 2.4) πŸ›‘️ Restrict application Accessible by IP Address & HTTP Host Header Injection (Apache 2.4) πŸ›‘️ Disable/Remove Server: Apache header info version (Apache2.4) πŸ” TLS1.2 Protocol enable for IBM WebSphere with SSL Handshake Debug
🌩️ How I Cleared My AZ-900 Microsoft Azure Fundamentals Exam 🌐🧱 Enterprise Network Architecture — Akamai, DNS, WAF, DMZ, SSL & Firewall Flow Explained for Middleware & DevOps Engineers 🌩️ AZ-104 Microsoft Azure Administrator 🌩️ Cloud Computing Basics
⚙️ DevOps vs DevSecOps Explained:Learning Path for Beginners πŸ’» Top 100+ Linux Commands for Middleware & DevOps Engineers 🐧 Linux Shell Scripting for Beginners – Complete Tutorial Series πŸ” Preparing WinRM on Windows Server over HTTPS for Automation (5986) πŸ” WAS Service Restart Using WinRM over HTTPS (5986) on Azure DevOps
☕ how-to-manually-install-new-java-path ☕ SunCertPathBuilderException ☕ out of space in CodeCache for adapters ☕ What is GC , Heap Memory & Metaspace ? ☕ Types of GC , analyze GC logging and REDHAT JVM Tool. πŸ§ͺ How to make datasource test-connection to Oracle / PostgreSql / MSSQL DB Instance.. πŸ§ͺ How to make datasource test-connection to MSSQL DB Instance πŸ§ͺ How to make datasource test-connection to Postgresql DB Instance πŸ§ͺ How to make datasource test-connection to Oracle DB Instance πŸ§ͺ How to Check DB latency using Datasource Test-Connection ☕ Install a new java path to the alternatives 🧰 Xmanager and Set Display. πŸ› ️ Install LAMP on SUSE Linux with example
πŸ” Openssl Commands for Wildcard & SAN certificates. πŸ” What is SSL, What is One-Way SSL & Two-Way SSL? πŸ” Openssl Self-Signed SAN's certificate πŸ” SSL certificate supports Weak Ciphers πŸ” Some SSL issues (Client TLS1.2 , Truststore & SSL debug) with Solutions πŸ” TLS / SSL Certificate Lifetimes Reduced to 47 Days. πŸ” SSL Certificate Renewal on Akamai WAF and Its Impact on Applications. ✨ Worked on VMC SSL Today – A Simple Explanation for Everyone πŸ“ŒWebSphere Outbound SSL & SNI – Troubleshooting Guide
🏒 Enterprise Authentication & Identity Security Series πŸ” Part 1 - What is Authentication? πŸ†” Part 2 - Sessions, Cookies & JSESSIONID ⚖️ Part 3 - Stateful vs Stateless Applications 🎫 Part 4 - JWT (JSON Web Token) & Token-Based Authentication πŸ“Š Part 5 - JWT vs Session vs Cookies Explained πŸšͺ Part 6 - API Authentication & API Gateway Security πŸ”„ Part 7 - OAuth2, OIDC & SAML Explained ☁️ Part 8 - SSO (Single Sign-On), MFA & Microsoft Entra ID 🟦 Part 9 - WebSphere LTPA, Sticky Sessions & Session Replication πŸ›‘️ Part 10 - Zero Trust Security & Authentication Risks

15 Jun 2026

⚖️ JWT vs Session vs Cookies Explained - Part 5

JWT vs Session vs Cookies Explained
  • Welcome to Part 5 of the Authentication & Identity Security series.
  • This article explains the difference between JWT, Sessions and Cookies.
  • Designed for Middleware, DevOps, Cloud, API, and Application Support Engineers.
  • Includes enterprise examples using WebSphere, JBoss, Tomcat, Docker, Azure Entra ID, APIs, and Load Balancers.

Table of Contents

Introduction

In previous parts, we learned about sessions, cookies, JSESSIONID, stateful applications, stateless applications, and JWT-based authentication.

Now it is important to clearly understand the difference between Cookies, Sessions and JWT. Many engineers confuse these terms and use them interchangeably, but they are different concepts.

Simple Understanding:
A cookie is stored in the browser. A session is stored on the server. A JWT is a signed token usually used for stateless authentication.

A cookie is a small piece of data stored in the user's browser. The server sends a cookie to the browser, and the browser sends it back with future requests.

Cookies are commonly used to store identifiers, preferences, tracking values, and session IDs.

Example Cookie

Set-Cookie: JSESSIONID=ABC123XYZ789; Path=/app; Secure; HttpOnly

Browser Sends Cookie Back

GET /app/dashboard HTTP/1.1
Host: www.company.com
Cookie: JSESSIONID=ABC123XYZ789
Important:
A cookie is only a storage mechanism in the browser. It is not the same as a session.

What is a Session?

A session is server-side storage used to maintain user information after login.

In Java enterprise applications, the session is commonly identified using JSESSIONID.

Session Data Example

Session ID: ABC123XYZ789

Stored on Server:
- userId = pradeep
- role = admin
- loginTime = 10:30 AM
- applicationAccess = policy-portal

The browser does not usually store this full session data. The browser only stores the JSESSIONID cookie. The actual session data remains inside the application server memory or external session store.

Common Platforms

  • IBM WebSphere Application Server
  • WebSphere Liberty
  • Apache Tomcat
  • JBoss EAP
  • WildFly

What is JWT?

JWT stands for JSON Web Token. It is a signed token that contains claims about the user or application.

JWT is commonly used in APIs, microservices, mobile applications, Docker-based applications, and cloud-native systems.

JWT Example

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiJwcmFkZWVwIiwicm9sZSI6ImFkbWluIn0.
signature

JWT Payload Example

{
  "sub": "pradeep",
  "role": "admin",
  "iss": "https://login.company.com",
  "aud": "api.company.com",
  "exp": 1789459200
}
Important:
JWT payload is encoded, not encrypted by default. Do not store passwords, secrets, or sensitive data inside JWT.

Cookie, Session and JWT Flow

Session + Cookie Flow

User Login
   │
Application Server Authenticates User
   │
Server Creates Session
   │
Server Generates JSESSIONID
   │
Browser Stores JSESSIONID Cookie
   │
Browser Sends Cookie With Every Request
   │
Server Finds Session Using JSESSIONID

JWT Flow

User Login
   │
Authentication Server Validates User
   │
JWT Generated
   │
Client Stores JWT
   │
Client Sends JWT With API Request
   │
API Validates JWT Signature and Expiry
   │
Access Granted

JWT vs Session vs Cookies Comparison

Feature Cookie Session JWT
Basic Meaning Browser storage mechanism Server-side user state Signed authentication token
Stored In Browser Application Server / External Store Client side
Common Example JSESSIONID cookie User session in JVM heap Bearer token
Stateful / Stateless Storage only Stateful Stateless
Server Memory Required No Yes, unless externalized No session memory required
Scaling Easy Requires sticky session or replication Easier horizontal scaling
Best For Session ID, preferences Traditional web applications APIs, mobile apps, microservices
Security Risk Cookie theft Session hijacking Token theft

Enterprise Middleware Example

Traditional WebSphere / JBoss / Tomcat Application

Browser
   │
JSESSIONID Cookie
   │
IBM HTTP Server / NGINX
   │
WebSphere / JBoss / Tomcat
   │
Session Stored in JVM Memory

This architecture is common in enterprise web applications. The application server stores session data and the browser stores only the JSESSIONID.

Common Requirements

  • Session timeout configuration
  • Sticky session at load balancer
  • Session replication in cluster
  • Secure and HttpOnly cookie flags
  • Logout session invalidation

Docker and Cloud Perspective

Docker does not automatically make an application stateless. If the application running inside the container stores sessions in JVM memory, it is still stateful.

Stateful Docker Application

Browser
   │
JSESSIONID Cookie
   │
Docker Container
   │
Tomcat / JBoss / WebSphere Liberty
   │
Session Stored in Container JVM Memory

If the container restarts or is replaced, in-memory sessions may be lost.

Better Cloud-Native Options

  • Use JWT-based stateless authentication
  • Use Redis as external session store
  • Use database-backed session persistence
  • Use short-lived tokens with refresh tokens
  • Use API Gateway for centralized token validation

Azure Entra ID Perspective

Azure Entra ID commonly issues tokens for modern enterprise applications and APIs. 

User
 │
Application
 │
Azure Entra ID Login
 │
Access Token / ID Token
 │
Application or API Access

In this model, Azure Entra ID handles authentication and issues tokens. Applications validate the token before granting access.

Enterprise Use Case:
Azure Entra ID + OAuth2/OIDC + JWT is commonly used for SSO, API authentication, Azure applications, and cloud-native platforms.

Which One Should You Use?

Application Type Recommended Approach
Traditional WebSphere / JBoss / Tomcat web app Session + Cookie
REST API JWT / OAuth2 Access Token
Docker-based application JWT or Redis-backed session
Single Page Application OIDC with secure token handling
Enterprise SSO Azure Entra ID / SAML / OIDC
Legacy Java application Session-based authentication

Common Misconceptions

Misconception 1: Cookie and Session are Same

This is incorrect. A cookie is stored in the browser. A session is stored on the server.

Misconception 2: JWT Always Replaces Session

JWT is useful for APIs and stateless architectures, but traditional web applications may still use sessions effectively.

Misconception 3: JWT is Always More Secure

JWT security depends on implementation. Poor token storage, long expiry, missing validation, or weak signing keys can create serious risks.

Misconception 4: Docker Makes Applications Stateless

Docker only packages and runs applications. If the application stores sessions in memory, it remains stateful.

Security Best Practices

Cookie Best Practices

  • Use Secure flag for HTTPS-only transmission.
  • Use HttpOnly flag to reduce JavaScript access.
  • Use SameSite attribute to reduce CSRF risk.
  • Set proper cookie path and domain.

Session Best Practices

  • Configure proper session timeout.
  • Invalidate session after logout.
  • Regenerate session ID after login.
  • Use session replication or external session store for HA.
  • Avoid storing unnecessary large objects in session.

JWT Best Practices

  • Use HTTPS for all token communication.
  • Keep access tokens short-lived.
  • Validate signature, expiry, issuer, and audience.
  • Never store passwords or secrets in JWT payload.
  • Use refresh tokens carefully.
  • Rotate signing keys periodically.

Common Production Issues

Issue Possible Cause
User logged out randomly Session timeout, server restart, or sticky session issue
Session works on one node but fails on another No session replication or affinity
JWT gives 401 Unauthorized Expired token, invalid signature, wrong audience or issuer
Cookie not sent to server Wrong domain, path, Secure flag, or SameSite setting
High JVM memory usage Too many sessions or large session objects
Login loop Cookie, SSO, reverse proxy, or token validation issue

Key Takeaways

  • A cookie is browser-side storage.
  • A session stores user data on the server.
  • JSESSIONID is commonly stored inside a cookie.
  • JWT is a signed token used for stateless authentication.
  • Sessions are common in WebSphere, JBoss, and Tomcat applications.
  • JWT is common in APIs, Docker applications, microservices, and cloud-native systems.
  • Cookies, sessions, and JWT can all be secure or insecure depending on implementation.

What’s Next?

Next Article:
Part 6 – API Authentication & API Gateway Security

In the next article, we will understand API authentication methods such as API keys, Basic Authentication, JWT, OAuth2, and how API Gateways secure backend services.

Series: Authentication & Identity Security for Middleware, DevOps & Cloud Engineers
Author: Pradeep V
Blog: MiddlewareBox.com

Posted by:
Tags: , , , , , , , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)