About
Client-side sessions (stateless sessions) are session data stored client-side (Generally browser data)
Client-side data is subject to tampering. As such it must be handled with great care by the backend
stateless mechanism means that the user state is never saved in the server memory.
Articles Related
Operation
Sign
To protect the contents of a client side session, you can sign it:
- to validate the data against tampering
- to authenticate the origin
Most of the time sessions are only signed and not encrypted because there should be no security or privacy concern when the data is read by third parties.
Encryption
A third party (a client-side script) might be able to read client side data if they are stored in an unencrypted JWT
Client side data that may raise privacy concerns must not be left unencrypted (Example: user’s shopping cart).