A: Session-based authentication uses server-side storage of session state. When a user logs in, a session is created on the server (or in a session store), and a session ID is stored in a cookie (usually HTTP-only) in the client’s browser. On each request, the cookie sends the session ID; the server looks it up and retrieves associated user state (e.g. logged-in status, user id).
In contrast, token-based (e.g. JWT) authentication encodes the user state (or a reference) into a signed token which the client sends with each request (often in headers). The server verifies the token without necessarily needing server-side session storage.
Session-based is simpler and more traditional, with central control over invalidation, whereas JWT scales better in stateless/distributed architectures. (Also see trade-offs with token size, revocation, storage)
