Security Encyclopedia

Stateful Authentication (Session-Based)

Stateful Authentication is a way to verify users by having the server or backend store much of the session information, such as user properties. It is simpler to implement than Stateless or Token-Based Authentication but it is resource-intensive causing the server to perform lookups for every request.

In stateful authentication, whenever the client sends a request to the server, the server must look up session information such as user properties and match them against its identity provider (IdP). It involves receiving the client’s reference ID and marching it against a considerable amount of stored authentication data that is has on all users.

Stateful authentication is also called session-based authentication or cookie-based authentication for the session information the server must store on the user.

Stateful authentication is straightforward and easy to implement however its drawbacks include a lack of scalability.


"We're looking into an alternative to stateful authentication because of the toll it takes on our servers. All of these lookups to check cookies on user sessions has our servers running hot, which creates its own problem."