ByteByteGo Newsletter

Share this post

EP34: Session, cookie, JWT, token, SSO, and OAuth

blog.bytebytego.com

EP34: Session, cookie, JWT, token, SSO, and OAuth

Alex Xu
Nov 26, 2022
183
3
Share this post

EP34: Session, cookie, JWT, token, SSO, and OAuth

blog.bytebytego.com

This week’s system design refresher:

  • System design interview course (Black Friday Sale)

  • Token, Cookie, Session

  • What is CDN? (Youtube video)

  • Learning Payment System

  • Online ticketing platform

  • Centralized vs. Decentralized Social Network


📚 BLACK FRIDAY SALE 📚

The Black Friday sale is now up! Use code BF2022 at checkout for 30% off my system design interview online course.

No alternative text description for this image

Our online course features content from two System Design interview books. And in 2023, we hope to add the new System Design Interview Volume 3.

To take advantage of the limited-time offers, subscribe before 11:59 pm PST on Monday, November 28.

Get it here


Token, Cookie, Session

Session, cookie, JWT, token, SSO, and OAuth 2.0 - what are they?

No alt text provided for this image

These terms are all related to user identity management. When you log into a website, you declare who you are (identification). Your identity is verified (authentication), and you are granted the necessary permissions (authorization). Many solutions have been proposed in the past, and the list keeps growing.

From simple to complex, here is my understanding of user identity management:

  • WWW-Authenticate is the most basic method. You are asked for the username and password by the browser. As a result of the inability to control the login life cycle, it is seldom used today.

  • A finer control over the login life cycle is session-cookie. The server maintains session storage, and the browser keeps the ID of the session. A cookie usually only works with browsers and is not mobile app friendly.

  • To address the compatibility issue, the token can be used. The client sends the token to the server, and the server validates the token. The downside is that the token needs to be encrypted and decrypted, which may be time-consuming.

  • JWT is a standard way of representing tokens. This information can be verified and trusted because it is digitally signed. Since JWT contains the signature, there is no need to save session information on the server side.

  • By using SSO (single sign-on), you can sign on only once and log in to multiple websites. It uses CAS (central authentication service) to maintain cross-site information

  • By using OAuth 2.0, you can authorize one website to access your information on another website


What Is A CDN? How Does It Work?


How to learn payment systems?

No alternative text description for this image

Online Ticketing Platform

Last week, Ticketmaster halted public ticket sales of Taylor Swift’s tour due to extraordinarily high demands on ticketing systems.

It’s an interesting problem, so we did some research on this topic. The diagram below shows the evolution of the online China Train ticket booking system.

No alternative text description for this image

The China Train tickets booking system has similar challenges as the Ticketmaster system:

  1. Very high concurrent visits during peak hours.

  2. The QPS for checking remaining tickets and orders is very high

  3. A lot of bots

The solutions

  1. Separate read and write requests. Because anxious users kept refreshing the web page to check if there were tickets available, the system could under huge pressure.

    To handle the calculation and query in memory, the remaining ticket components were moved entirely to GemFire. It is possible to fit the entire country's train tickets into several Gigabytes of memory.
    In addition, the order query component was moved to GemFire to reduce the load on the order database. Hadoop was used to store historical orders.

  2. Leverage public cloud for elastic capacity.

  3. Ban bots. It reduced the traffic by 95%.

  4. Increase the bandwidth of the system.

  5. Increase system availability by setting up more data centers in different cities.

  6. Design multiple emergency plans.

Note: the numbers are based on the back-of-the-envelope estimation (not official data). 


Do we have an alternative for Twitter services?

What is a decentralized social network service?

The diagram below shows a comparison between Twitter and Mastodon.

No alternative text description for this image

It is said that Trump's new social media platform Truth Social was using the Mastodon.

Mastodon runs self-hosted social network services. It is free and has no ads. Its MAU (Monthly Active Users) increased from 500k in Oct to 1 million in Nov, after Elon Musk’s takeover of Twitter.

Unlike Twitter, whose servers belong to the Twitter company, Mastodon’s servers do not belong to any company. Its network is composed of servers (instances) from different organizations.

When users register, they must choose a server to start with. Since the servers sync up with each other, users can still receive updates from other servers.

Because the network is run by volunteers, the company has only one employee - its founder Eugen Rochko. It is run by crowdfunding and is now supported by 3500 people.


 Featured job openings

Openedges: Chief Architect (San Jose, Austin, Remote)

3
Share this post

EP34: Session, cookie, JWT, token, SSO, and OAuth

blog.bytebytego.com
3 Comments
Jerry
Writes Talented Newsletter
Nov 28, 2022

Great post! Can you include SAML into your JWT / SSO comparison as well?

Expand full comment
ReplyCollapse
Jerry
Writes Talented Newsletter
Nov 28, 2022

Great post! Can you include SAML into your JWT / SSO comparison as well?

Expand full comment
ReplyCollapse
1 more comment…
TopNewCommunity

No posts

Ready for more?

© 2023 ByteByteGo
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great writing