What is a Session? (authentication, tracking)


A session is used in authentication in order to store the identification data.

After a user has been authenticated, the identification (the user name generally) is stored in the session and other requests do not need to be authenticated.

The logic is generally that the user is authenticated if the session contains the user name.


A session is identified by a session identifier that permits looking up the session data.

Session Data Storage

External Store

The session data may be stored in a store such as:

  • a database
  • a in-memory may
  • a file

You grab the identifier and you lookup the data.

If you don't want to manage an external store (such as a database) to store your session data, you may also store your session data directly encrypted in a cookie

  • in a JWT format
  • or a JWE (JWT public information encrypted)

Because the JWT format has a signature, you may authenticate it.

Note that every other format encrypted where you only know the secret may also authenticate the data.

Security Considerations

Discover More
Client-side sessions (stateless sessions) - Client Side Data

Client-side sessions (stateless sessions) are session data stored client-side (Generally browser data) Client-side data is subject to tampering. As such it must be handled with great care by the backend...
Card Puncher Data Processing
Code design - (Connection|Session)

During the use of a product, a session or connection is a execution context that holds identification data (if any) and group actions (such as interaction or transaction) that take place within...
Card Puncher Data Processing
Cognito - Session

After successfully signing in, a session is returned. A session contains : an ID token that contains user claims, an access token that is used internally to perform authenticated calls, ...
Porte Cle Examine Tls Ssl Connection
SSL/TLS - Session (Connection)

A SSL/TLS session is a session between two applications that have successfully performed an SSL Handshake. You can examine the connection and server certificate connection with portecle With...
What is Authentication, known also as Access control, Identification, or AuthN?

Authentication is the process that establishes the identity of a user who accesses a resource of an application (page, image,...) It's abbreviated as AuthN for authentication versus AuthZ for authorization....
What is a Cross-site request forgery attack (CSRF)? Web Security

A Cross-site request forgery (CSRF) is: a http request made by real users unknowingly with the help of the browser from a website to another target website (ie making the request a cross-site...
What is a Session Identifier?

A session identifier is a nonce that represents uniquely a session. Instead of storing session information (such as username, login, start time, ...) directly, the server creates a nonce and sends it...

Share this page:
Follow us:
Task Runner