LOGBOOK

HELP

Quiz Entry - updated: 2026.06.25

What is a session, and why do web applications use them?

A session is a server-side record of an authenticated user, opened after a successful login, so the user doesn't have to re-authenticate on every single request.

Without sessions, HTTP's statelessness would mean typing your password on every page load. Sessions trade a one-time authentication cost for a long-lived "ticket" that the client presents on every subsequent request.

Server side, a session typically holds:

  • The authenticated user ID.
  • Authorisation context (roles, permissions, tenant).
  • Creation time, last-activity time, expiry.
  • Optional context like the IP address or User-Agent the session was created with (used for hijacking detection).

Client side, the session ID (the "ticket") is usually carried as a cookie, sometimes as a header or URL parameter.

Trade-off: convenience vs. risk. A session is a long-lived bearer credential — if it's stolen, the attacker has the user's access for as long as the session lives. That's why all the session-management hardening exists: short timeouts, ID renewal, Secure/HttpOnly/SameSite cookies, server-side invalidation on logout.

Tip: "Session" is sometimes used for stateless tokens too (JWTs in Authorization: Bearer). The risks are the same; only the storage location differs.

From Quiz: ISF / Session Handling & Login Protocols | Updated: Jun 25, 2026