JWT vs Session Based Authentication for HIPAA

Hi, asking for the opinion of elixir devs with experience in HIPAA compliancy.

As far as authentication goes. Is there a preference of token-based vs session-based authentication to ensure HIPAA compliancy? Would devs implementing authentication be predisposed to use one method over the other? Does HIPAA compliancy even prioritize one method over the other?


No HIPAA experience but as stated here you have to support logout.

To manage logout with JWTs, you’ll need… to manage states! Also some links on JWTs for authentication sessions that have already been posted here:


@tangui so does that it is HIGHLY recommended and BEST practice to use session-based authentication? Even though HIPAA does not specifically state anything about using session-based over token-based authentication, it is better to use session-based authentication anyway correct?

I have no idea about HIPAA but if it is required to manage logout (and you should read their specs / recommendations / etc.) then you better use stateful (= session-based) sessions because if you use stateless sessions (JWTs…), you’ll end up reimplementing stateful sessions to support logout.

My opinion is that JWTs became popular for this because it’s hard to manage state in a cluster behind load-balancing with most languages and platforms, but that’s not (or less) the case with Erlang / Elixir.

1 Like

@tangui ok i understand. As far as implementation of session-based authentication is concerned. I’m trying to use ueberauth/guardian to do the implementation. It seems like it is JWT (token-based) rather than session-based. Are there any alternative libraries or tutorials on how to implement session-based authentication for elixir? Does guardian provide an option for session-based authentication?

Pow uses sessions by default: https://github.com/danschultzer/pow

PowAssent provides multi-provider support (ueberauth alternative): https://github.com/danschultzer/pow_assent


You don’t necessarily need a library for that: just set an authentication cookie after authentication. Depending on the session lifetime and deployment scenario (cluster? single server? sticky sessions on your lb or not?) you have plenty of choices for a backend where to store sessions:

  • ETS
  • Mnesia
  • Ecto
  • Redis
  • Etc.

Also you have to secure your cookie by:

  • setting the correct cookie flags (secure, HTTPonly)
  • protecting against CSRF

I saw that Dan posted an answer, so yes you might be interested too in lib that does that already :slight_smile:


I deal with HIPAA at work, and I use session based to our SSO and it is time based logout, and if an early logout is performed it logs out of everything else that uses the SSO as well (and vice-versa). I just verify with the SSO on-access if the account is still logged in or not.

So… I put the onus on the people that manage the SSO (other contractors). ^.^