4.8. Client-Side Sessions

Unlike server-side sessions, where session data is stored on the server, client-side sessions store session information on the client.

A client-side session is implemented using only cookies, which contain encoded user information and are included with each request to authenticate the user.

Instead of storing session records on the server, client-side sessions rely on tokens that are:

• Generated by the server.

• Stored in the browser as cookies.

• Sent with every request.

• Verified by the server on each request.

This approach eliminates the need for a server-side session store, making authentication stateless.

Note

These session cookies are cryptographically signed by the server, to ensure that the user or a malicious actor hasn’t tampered with them.

4.8.1. Establishing a Client-Side Session

The procedure to establish a client-side session is:

1. The client (browser) sends a login request with username and password.

2. The server authenticates the user and generates a cookie to store the session information.

3. The server sends a response back with the cookie.

4.8.2. Maintaining a Client-Side Session

On every request, the client attaches the cookie. The server then:

1. Extracts the data from the cookie.

2. Decodes the cookie and verifies the digital signature.

3. Checks expiration time to ensure the token is still valid.

4. If valid, authenticates the user and processes the request.