Session-based authentication is the traditional web form-based authentication mechanism where the server creates and maintains a session for the validated user credentials. This is stateful and normally is not very scalable unless you use a distributed HTTP session, which is possible using a distributed cache such as Hazelcast or using the session replication features of a dedicated web server or load balancer. JHipster adds a lot of features on top of the standard mechanism, such as secured tokens that are stored in DB, and can be invalidated, used in remember me mechanisms, and so on.