Session Cookie

A session cookie is an httpOnly, Secure cookie containing a session identifier mapped to server-side state. Unlike JWT access tokens in localStorage, session cookies are not accessible to JavaScript, reducing XSS token theft risk. The server looks up session data on each request. Classic session auth excels at immediate revocation and logout. Implementations across Node.js, Python, Go, Ruby, and Java follow the same RFC standards, so concepts transfer directly between stacks. Security reviews should treat this as part of your full authentication threat model, not an isolated configuration detail. Document expected behavior for client teams so tokens are issued, stored, and validated consistently across services.

Why It Matters

Choose session cookies when you control a traditional web app and need instant session invalidation. JWTs in Authorization headers suit SPAs and mobile APIs. Hybrid patterns store short-lived JWTs in httpOnly cookies for best of both worlds. Getting this wrong often surfaces only after an incident, when forged or replayed tokens expose gaps in validation or secret handling. Platform teams should encode these rules in libraries, linting, and deployment checklists so individual services cannot drift silently. Pair technical controls with monitoring: log verification failures, track unusual token lifetimes, and alert on spikes in 401 responses.

Related Terms

Related Comparisons

Related Articles

Frequently Asked Questions

Session cookie vs JWT in localStorage?

Session cookies resist XSS exfiltration via httpOnly. localStorage JWTs are readable by any script on the page. Consult your JWT library documentation for exact option names, defaults, and error types. When in doubt, prefer stricter validation and shorter token lifetimes over permissive shortcuts.

Can JWTs use cookies?

Yes. Store access or refresh tokens in httpOnly Secure SameSite cookies for browser apps. Consult your JWT library documentation for exact option names, defaults, and error types. When in doubt, prefer stricter validation and shorter token lifetimes over permissive shortcuts.

Do session cookies scale horizontally?

Yes, with shared session stores like Redis. Stateless JWTs avoid that lookup entirely. Consult your JWT library documentation for exact option names, defaults, and error types. When in doubt, prefer stricter validation and shorter token lifetimes over permissive shortcuts. Test edge cases with expired, malformed, and wrong-algorithm tokens in CI before shipping auth changes.