Session
What is it?
A session is how a website remembers who you are across multiple requests, so you stay logged in as you move from page to page.
Explain like I'm 5
Why was it created?
HTTP forgets you after each request. Sessions were created so a server can link a series of requests to the same logged-in user.
Where is it used?
- Keeping users logged in
- Shopping carts
- Multi-step forms and flows
- Storing per-user state on the server
Why should developers care?
Sessions are fundamental to login and authentication on the web, so almost every web developer works with them.
How does it work?
After login, the server creates a session and gives the browser a session ID, usually in a cookie. The browser sends it on each request, and the server looks up the matching session to know who you are.
Real-world example
You log into a shopping site; a session keeps you authenticated as you browse and add items, until you log out or it expires.
Common use cases
- Authentication state
- Shopping carts
- Per-user temporary data
- Multi-request workflows
Advantages
- Easy to invalidate (just delete the session)
- Keeps sensitive data on the server
- Well understood
- Good control over login state
Disadvantages
- Server must store session state
- Scaling needs shared session storage
- Cookies must be secured against theft
When should you use it?
When you want server-controlled login state that's easy to revoke.
When should you avoid it?
For fully stateless APIs across many services, where tokens like JWTs may fit better.
Alternatives
Related terms
Interview questions
Beginner
- What is a session?
- How does a server remember a logged-in user?
Intermediate
- How is a session ID usually stored?
- How do sessions differ from JWTs?
Senior
- How do you share sessions across multiple servers?
- How do you protect session cookies from theft?
Common misconceptions
- "Sessions and cookies are the same" — a cookie often carries the session ID, but the session is the server-side state.
- "Sessions are outdated because of JWTs" — both are valid; sessions are easier to revoke.
Fun facts
- The session ID in a cookie is what links your requests together.
- Server-side sessions can be invalidated instantly, unlike most JWTs.
Timeline
- 1990s — Sessions emerge to add state to stateless HTTP
Learning resources
Quick summary
A session lets a server remember a user across requests, typically via a session ID stored in a cookie, keeping them logged in.
Cheat sheet
- Server-side per-user state
- Session ID usually in a cookie
- Easy to revoke
- Needs shared storage to scale