Sign in Subscribe
By Sahil Kapoor -

Session

A session is the server-side state that represents an authenticated user across multiple requests. After a user signs in, the server creates a session record (storing the user ID, expiry, and any auxiliary state) and gives the client a session identifier, typically as an HTTP cookie. Each subsequent request includes the cookie, the server looks up the session, and the request is treated as authenticated.

How it works

Two designs dominate:

  • Server-stored sessions. A random opaque ID is stored in a cookie. The server keeps the actual session data in a database, Redis, or in-memory store. Logout and revocation are simple (delete the row).
  • Signed or encrypted sessions. The session data itself is serialized into a signed cookie (for example JWT, IronSession). No server-side lookup is needed, at the cost of harder revocation.
  • HttpOnly: cookie unreadable by JavaScript, blocks XSS exfiltration
  • Secure: cookie only sent over HTTPS
  • SameSite=Lax|Strict: limits cross-site sending, mitigates CSRF
  • Domain and Path: scope the cookie's visibility
🔗
Related Terms
JWT, OAuth 2.0, OIDC, Refresh Token, Bearer Token.

Subscribe to Sahil's Playbook

Clear thinking on product, engineering, and building at scale. No noise. One email when there's something worth sharing.
[email protected]
Subscribe
Mastodon