About
A session is used in authentication in order to store the identification data.
After a user has been authenticated, the identification (the user name generally) is stored in the session and other requests do not need to be authenticated.
The logic is generally that the user is authenticated if the session contains the user name.
Identifier
A session is identified by a session identifier that permits looking up the session data.
Session Data Storage
External Store
The session data may be stored in a store such as:
- a database
- a in-memory may
- a file
- …
You grab the identifier and you lookup the data.
JWT Cookie
If you don't want to manage an external store (such as a database) to store your session data, you may also store your session data directly encrypted in a cookie
- in a JWT format
- or a JWE (JWT public information encrypted)
Because the JWT format has a signature, you may authenticate it.
Note that every other format encrypted where you only know the secret may also authenticate the data.