Client-side sessions (stateless sessions) - Client Side Data


Client-side sessions (stateless sessions) are session data stored client-side (Generally browser data)

Client-side data is subject to tampering. As such it must be handled with great care by the backend

stateless mechanism means that the user state is never saved in the server memory.



To protect the contents of a client side session, you can sign it:

  • to validate the data against tampering
  • to authenticate the origin

Most of the time sessions are only signed and not encrypted because there should be no security or privacy concern when the data is read by third parties.


A third party (a client-side script) might be able to read client side data if they are stored in an unencrypted JWT

Client side data that may raise privacy concerns must not be left unencrypted (Example: user’s shopping cart).

Powered by ComboStrap