LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

Once logged in, how does the client prove it is authenticated on the /dashboard request and every request after?

It doesn't re-enter a password — the browser automatically resends the session cookie (Cookie: session=…) with every request, and the server uses that SID to look up the session.

Because HTTP is stateless, each request must independently carry the proof of authentication. With cookies that proof is the SID:

  1. Browser → Server: GET /dashboard with header Cookie: session=abc123.
  2. Server: looks up abc123 in its session store, finds "this is user tino, logged in," and serves the page.

No SID (or an unknown one) ⇒ the server treats you as anonymous and bounces you to login. This is why a stolen session cookie is so dangerous — possessing the SID is being logged in (session hijacking).

Tip: Enable "Disable cache" in DevTools → Network and reload: you'll see the Cookie header ride along on the actually-sent request, proving it travels on every call.

Go deeper:

From Quiz: INTROL / Web Authentication: Cookies, OAuth 2.0 / OIDC & WebAuthn | Updated: Jul 05, 2026