JWT vs Session: Farqi va Afzalliklari

Web ilovalarda foydalanuvchi autentifikatsiyasi — tizim xavfsizligi va foydalanuvchi ma’lumotlarini himoya qilishning asosiy qismidir. Hozirgi kunda ikkita asosiy autentifikatsiya usuli keng qo‘llaniladi:

Session-based authentication
Token-based authentication (ko‘p hollarda JWT)

Bu maqolada ikkala yondashuvning ishlash prinsipi, afzalliklari, kamchiliklari va qachon qaysi birini tanlash ma’qul ekanligi haqida gaplashamiz.

Session-based Authentication

Qanday ishlaydi?

Foydalanuvchi login qilganda, server foydalanuvchi ma’lumotlarini tekshiradi.
Tekshiruv muvaffaqiyatli bo‘lsa, server session yaratadi va session ID’ni cookie orqali clientga yuboradi.
Client har bir requestda shu cookie’ni yuboradi.
Server request kelganda session ma’lumotini tekshiradi.

Afzalliklari:

Server session holatini boshqaradi.
Session ma’lumotlari serverda saqlanadi, token client tomonida saqlanmaydi.
Session ma’lumotlarini istalgan vaqtda serverdan o‘chirib yuborish mumkin.

Kamchiliklari:

Serverda session saqlash uchun storage kerak bo‘ladi (masalan, Redis).
Horizontal scaling qiyinlashadi, chunki barcha serverlar umumiy session storage’ga ulanib ishlashi kerak.
Cross-domain ilovalar uchun noqulay (cookie-based limitlar tufayli).

Session based autentifikatsiya uchun misol:

import express from 'express';
import session from 'express-session';

const app = express();
app.use(express.json());

app.use(session({
  secret: 'my_secret_key',
  resave: false,
  saveUninitialized: true,
  cookie: { secure: false } // https uchun true qilinadi
}));

// Login route
app.post('/login', (req, res) => {
  const { username, password } = req.body;
  if (username === 'admin' && password === '123') {
    req.session.user = { username };
    return res.send('Login successful!');
  }
  res.status(401).send('Invalid credentials');
});

// Protected route
app.get('/dashboard', (req, res) => {
  if (req.session.user) {
    return res.send(`Welcome, ${req.session.user.username}`);
  }
  res.status(401).send('Unauthorized');
});

// Logout
app.post('/logout', (req, res) => {
  req.session.destroy(() => {
    res.send('Logged out successfully');
  });
});

app.listen(3000, () => console.log('Server running on port 3000'));

JWT (JSON Web Token) Authentication

Qanday ishlaydi?

Foydalanuvchi login qilganda, server foydalanuvchini tekshiradi.
Tekshiruv muvaffaqiyatli bo‘lsa, server JWT token generatsiya qiladi.
Client tokenni localStorage, sessionStorage yoki cookie’ga saqlaydi.
Client har bir requestda tokenni yuboradi (odatda Authorization header orqali).
Server tokenni verify qiladi va unga asoslanib response beradi.

Afzalliklari:

Serverda session storage kerak emas.
Horizontal scaling juda oson.
Microservices va mobil ilovalar uchun juda mos.
Cross-domain ilovalarda qulayroq ishlaydi.

Kamchiliklari:

Token’ni qayta bekor qilish imkoniyati kam (agar token muddati tugamaguncha).
Token clientda saqlanadi — noto‘g‘ri joyda saqlansa, XSS hujumi xavfi.
Token og‘irroq (odatda 1-2KB).

JWT (JSON Web Token) autentifikatsiya uchun misol:

import express from 'express';
import jwt from 'jsonwebtoken';

const app = express();
app.use(express.json());

const SECRET_KEY = 'my_secret_key';

// Login route
app.post('/login', (req, res) => {
  const { username, password } = req.body;
  if (username === 'admin' && password === '123') {
    const token = jwt.sign({ username }, SECRET_KEY, { expiresIn: '1h' });
    return res.json({ token });
  }
  res.status(401).send('Invalid credentials');
});

// Middleware for verifying token
function authenticateToken(req: any, res: any, next: any) {
  const authHeader = req.headers['authorization'];
  const token = authHeader && authHeader.split(' ')[1];
  
  if (!token) return res.sendStatus(401);

  jwt.verify(token, SECRET_KEY, (err: any, user: any) => {
    if (err) return res.sendStatus(403);
    req.user = user;
    next();
  });
}

// Protected route
app.get('/dashboard', authenticateToken, (req, res) => {
  res.send(`Welcome, ${req.user.username}`);
});

app.listen(3000, () => console.log('Server running on port 3000'));

Session va JWT taqqoslash jadvali

Xususiyat	Session	JWT
Ma’lumot saqlash	Server (session store)	Client (token)
Scalability	O‘rtacha (storage kerak)	Juda yaxshi (stateless)
Cross-domain support	Cheklangan (cookie-based)	Yaxshi (header-based)
Logout qilish	Server session o‘chiradi	Qiyinroq (token muddati tugashi yoki blacklist qilish kerak)
Ma’lumot xavfsizligi	Server nazoratida	Clientda saqlanadi (XSS xavfi)
Token og‘irligi	Juda kichik (session id)	Kattaroq (payload + signature)

Qachon qaysi birini tanlash kerak?

Session-based:
- Kichik va o‘rtacha web ilovalar
- Odatda faqat browser uchun ishlaydigan tizimlar
- Tez-tez login/logout jarayonlari bo‘ladigan ilovalar
JWT-based:
- Microservices arxitekturasida
- Mobil ilovalar backend’ida
- Serverless tizimlarda
- Cross-domain yoki API-first loyihalarda

Xulosa

Session va JWT autentifikatsiya tizimlari har biri o‘z joyida kerakli va foydali. Kichik va monolit loyihalarda session-based qulay bo‘lsa, scalable, microservices va mobil ilovalarda JWT juda yaxshi ishlaydi. Har bir loyihaning ehtiyojiga qarab, to‘g‘ri tanlov qilish lozim.