100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace
Web

Session Management

IntermediateConcept9.7K learners

Session management is the set of techniques a web application uses to track a user's state — such as being logged in — across multiple HTTP requests, since HTTP itself is stateless.

Definition

Session management is the set of techniques a web application uses to track a user's state — such as being logged in — across multiple HTTP requests, since HTTP itself is stateless.

Overview

Because HTTP is a stateless protocol, every request a browser sends is, by default, unrelated to the ones before it. Session management is how applications work around this to keep a user "logged in" as they navigate between pages or make repeated API calls. The classic approach is server-side sessions: on login, the server creates a session record (often stored in memory, a database, or a cache like Redis), assigns it a unique session ID, and sends that ID to the browser as a cookie. On every subsequent request, the browser automatically sends the cookie back, and the server looks up the session to know who is making the request. An alternative, increasingly common in API-driven and mobile-first architectures, is token-based session management, where the server issues a signed token — often a JSON Web Token (JWT) — that the client stores and sends with each request. This avoids server-side storage entirely, since the token itself carries the necessary claims, but trades that for harder revocation and the need for careful token storage on the client to avoid theft. Regardless of approach, sound session management has to account for expiry (sessions and tokens should time out), secure transport (cookies marked `Secure` and `HttpOnly`, tokens sent over HTTPS only), protection against session fixation and hijacking, and cross-origin behavior governed by CORS. Many modern systems combine both models: a short-lived access token for API calls and a server-tracked refresh token or session for renewing it, often layered with OAuth-based login.

Key Concepts

  • Works around HTTP's stateless nature to persist a logged-in user's identity
  • Server-side sessions store state in memory, a database, or a cache like Redis
  • Token-based sessions (e.g. JWTs) are self-contained and avoid server-side lookups
  • Session IDs and tokens are typically transported via cookies or Authorization headers
  • Expiry policies limit how long a session or token remains valid
  • Cookie flags like Secure, HttpOnly, and SameSite reduce hijacking and CSRF risk
  • Refresh tokens allow renewing access without forcing the user to log in again
  • Session invalidation on logout or password change is critical for security

Use Cases

Keeping a user logged into a web application across page navigations
Maintaining shopping cart state for an anonymous or logged-in shopper
Powering single sign-on across multiple related applications or subdomains
Rate-limiting or personalizing API responses based on the calling user's session
Supporting "remember me" login persistence across browser restarts
Enforcing timeout and re-authentication for sensitive actions like payments

Frequently Asked Questions

From the Blog