Add session mgt guide #42908
Open
Add session mgt guide #42908
+240
−0
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
Content:Security
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
|
|
||
| A website can also invalidate existing sessions and require reauthentication: | ||
|
|
||
| 1. When the client attempts some high-risk operation, such as attempting to change, or actually changing, the user's credentials on the site, or triggering the account recovery (e.g. password reset) process. |
Contributor
There was a problem hiding this comment.
[mdn-linter] reported by reviewdog 🐶
Suggested change
| 1. When the client attempts some high-risk operation, such as attempting to change, or actually changing, the user's credentials on the site, or triggering the account recovery (e.g. password reset) process. | |
| 1. When the client attempts some high-risk operation, such as attempting to change, or actually changing, the user's credentials on the site, or triggering the account recovery (e.g., password reset) process. |
Contributor
|
Preview URLs (1 page) External URLs (3)URL:
(comment last updated: 2026-01-28 04:17:59) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Here's a page on session management.
Terminology
I've talked mostly about two different models, one where the state is stored in the server and the client gets a session ID, and the other where the state is stored as a signed object (JWT) in the client. I've called these "centralized" and "decentralized" but people don't use these terms.
People sometimes use terms like "cookie-based" for the first and the second "JWT-based", but I don't like these, because ISTM that:
how you store session information in the client and communicate it to the server is orthogonal to these architectural choices - that is, you don't have to do the first using cookies, and you could do the second using cookies
(this is a much weaker objection) although in practice everyone does use JWTs for the second, that's an implementation choice not an architectural one.
I have asked about this and got feedback that my choice here is reasonable, but just flagging it here. We could call them "server-maintained state" and "client-maintained state" which is more descriptive but a real mouthful.
Frameworks and libraries
Regarding the section on "Frameworks and libraries", I do think we need to say this but went back and forth on whether to say it at the start or at the end, and how much detail to go into. FWIW although it might seem to negate the point of all this if we just tell people to use a framework, I really don't think it does - it is important to understand the principles and good practices, even if your framework is looking after a lot of the details for you.