← Lessons

quiz vs the machine

Gold1420

System Design

The Session Management Strategies

Compare cookie, server side, and token sessions for stateful web apps.

5 min read · core · beat Gold to climb

The problem

HTTP is stateless, yet apps must remember who a user is across requests. Session management bridges that gap.

Strategies

  • Cookie session id stores a random id in a cookie that points to server held data.
  • Server side store keeps the session data in a database or cache keyed by that id.
  • Signed tokens put the session data itself in the cookie, signed so it cannot be forged.

How an id based session flows

The browser sends its cookie, the server looks up the matching record, and attaches user context to the request.

Tradeoffs

  • Server side stores let you revoke a session instantly by deleting the record.
  • Signed tokens avoid a store lookup but are hard to revoke before expiry.
  • Keep cookies marked HttpOnly and Secure to resist theft.

Practical notes

  • Rotate session ids after login to block fixation attacks.
  • Set sensible expiry and idle timeouts.
  • Store only an opaque id client side, never raw credentials.

Key idea

Choose between a server side store for easy revocation and signed tokens for fewer lookups, matching the choice to your security needs.

Check yourself

Answer to earn rating on the learn ladder.

1. What is the main advantage of a server side session store?

2. Why rotate the session id after login?