A session is used in authentication in order to store the identification data.
After a user has been authenticated, the identification (the user name generally) is stored in the session and other requests do not need to be authenticated.
The logic is generally that the user is authenticated if the session contains the user name.
A session is identified by a session identifier that permits looking up the session data.
The session data may be stored in a store such as:
- a database
- a in-memory may
- a file
You grab the identifier and you lookup the data.
If you don't want to manage an external store (such as a database) to store your session data, you may also store your session data directly encrypted in a cookie
- in a JWT format
- or a JWE (JWT public information encrypted)
Note that every other format encrypted where you only know the secret may also authenticate the data.