Raw Record Source

{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreibhpmplqozwa7zy6qzsr5ac2nkujm3vmr5m3nkanmfcktkcogsmb4",
    "uri": "at://did:plc:5sgu76a53rz3n6unbykmovqy/app.bsky.feed.post/3mloeu4p2si22"
  },
  "description": "A session is the server-side state that represents an authenticated user across multiple requests. After a user signs in, the server creates a session record (storing the user ID, expiry, and any auxiliary state) and gives the client a session identifier, typically as an HTTP cookie. Each subsequent request includes the cookie, the server looks up the session, and the request is treated as authenticated.\n\n\nHow it works\n\nTwo designs dominate:\n\n * Server-stored sessions. A random opaque ID is stor",
  "path": "/engineering-glossary/session-stateful-authentication/",
  "publishedAt": "2026-05-12T18:04:55.000Z",
  "site": "https://sahilkapoor.com",
  "tags": [
    "JWT",
    "OAuth 2.0",
    "OIDC",
    "Refresh Token",
    "Bearer Token"
  ],
  "textContent": "**A session** is the server-side state that represents an authenticated user across multiple requests. After a user signs in, the server creates a session record (storing the user ID, expiry, and any auxiliary state) and gives the client a session identifier, typically as an HTTP cookie. Each subsequent request includes the cookie, the server looks up the session, and the request is treated as authenticated.\n\n## How it works\n\nTwo designs dominate:\n\n  * **Server-stored sessions.** A random opaque ID is stored in a cookie. The server keeps the actual session data in a database, Redis, or in-memory store. Logout and revocation are simple (delete the row).\n  * **Signed or encrypted sessions.** The session data itself is serialized into a signed cookie (for example JWT, IronSession). No server-side lookup is needed, at the cost of harder revocation.\n\n\n\n## Common cookie attributes\n\n  * `HttpOnly`: cookie unreadable by JavaScript, blocks XSS exfiltration\n  * `Secure`: cookie only sent over HTTPS\n  * `SameSite=Lax|Strict`: limits cross-site sending, mitigates CSRF\n  * `Domain` and `Path`: scope the cookie's visibility\n\n\n\n🔗\n\n**Related Terms**\nJWT, OAuth 2.0, OIDC, Refresh Token, Bearer Token.",
  "title": "Session",
  "updatedAt": "2026-05-13T19:15:15.085Z"
}