What Is Session Management?
Session management tracks a user's authenticated state across multiple HTTP requests. After login, the server creates a session (stored server-side or as a JWT) and sends a session identifier via cookie. Each subsequent request includes this identifier to maintain the authenticated state.
How Session Management Works
Server-side sessions: login → server generates a random session ID, stores session data in Redis, sends session ID as an HttpOnly cookie → each request includes the cookie → server looks up session data from Redis. Stateless sessions: login → server creates a signed JWT → client stores it → server validates the JWT signature on each request.
Key Concepts
- Session Cookie — HttpOnly, Secure, SameSite cookie containing the session identifier
- Session Store — Where session data lives — Redis, database, or memory. Redis is recommended for production
- Session Expiry — Sessions should expire after inactivity (30 min) and have a maximum lifetime (24 hours)
Frequently Asked Questions
JWT vs server-side sessions?
Server-side sessions are more secure (revocable, smaller cookies). JWTs are stateless (no session store needed, better for microservices). Use server-side sessions for most web apps; JWTs for APIs and microservices.