Once logged in, how does the client prove it is authenticated on the /dashboard request and every request after?
It doesn't re-enter a password — the browser automatically resends the session cookie (Cookie: session=…) with every request, and the server uses that SID to look up the session.
Because HTTP is stateless, each request must independently carry the proof of authentication. With cookies that proof is the SID:
- Browser → Server:
GET /dashboardwith headerCookie: session=abc123. - Server: looks up
abc123in its session store, finds "this is user tino, logged in," and serves the page.
No SID (or an unknown one) ⇒ the server treats you as anonymous and bounces you to login. This is why a stolen session cookie is so dangerous — possessing the SID is being logged in (session hijacking).
Tip: Enable "Disable cache" in DevTools → Network and reload: you'll see the Cookie header ride along on the actually-sent request, proving it travels on every call.
Go deeper:
OWASP: Session hijacking attack — why possessing the SID is being logged in, and how it gets stolen.
Session hijacking (Wikipedia) — side-jacking, fixation, and the defenses (TLS, ID regeneration).