HTTP

Glossary Term

HTTP Session

Learn what HTTP sessions are and how they maintain state across stateless HTTP requests. Understand session cookies, tokens, and server-side storage.

2 min read beginner
#glossary #fundamentals

TL;DR: A session is how a site remembers that a series of requests belong to the same user or browser context.

HTTP itself is stateless. Every request arrives as its own event. A session adds continuity so the server can recognize that request two belongs to the same person or workflow as request one.

Why Sessions Exist

Without sessions, common web behavior falls apart:

  • logins would not persist across page loads
  • shopping carts would vanish between clicks
  • multi-step forms could not remember progress
  • applications could not tie a series of actions to one user context

Sessions are one of the main ways the web feels continuous even though the protocol underneath is not.

How Sessions Usually Work

The common pattern looks like this:

  1. the server creates a session record
  2. the server sends back a session identifier
  3. the browser stores that identifier, usually in a cookie
  4. later requests send the identifier back
  5. the server uses it to retrieve the right state

That state might include a logged-in user ID, cart contents, CSRF data, or temporary workflow state.

The Important Distinction

The session itself is not the same as the cookie.

  • the session is the server-side concept and state
  • the cookie is often just the browser’s way of carrying the session ID

That distinction matters because developers sometimes think “the cookie is the session.” Usually it is only the handle that lets the server find the real session.

Why Session Bugs Feel Weird

Session issues often show up as confusing behavior:

  • you log in, then appear logged out on the next request
  • one subdomain works, another does not
  • a session rotates unexpectedly after authentication
  • the browser stores the cookie, but the server still cannot find the session

Those are often cookie-scope, proxy, or session-store problems rather than “login logic” problems.

Security Matters Here

Because sessions often represent authentication, they deserve careful handling:

  • use Secure over HTTPS
  • use HttpOnly so scripts cannot read the cookie
  • regenerate the session ID after login or privilege changes
  • expire idle sessions intentionally

Treat session handling as part of your security model, not just convenience state.

Related terms: HTTP Cookie, HTTP Request, HTTP Response

Frequently Asked Questions

What is an HTTP session?

A session is a way to preserve user-specific state across many otherwise independent HTTP requests.

How do sessions work?

A server generates a session identifier, gives it to the client, and uses that identifier on later requests to look up stored session state.

What is a session cookie?

A session cookie is the browser-side storage for the session identifier. It usually disappears when the browser session ends unless persistence is configured.

How do I secure sessions?

Use HTTPS, protect the session cookie with Secure and HttpOnly, rotate session IDs on login, and expire sessions deliberately.

Keep Learning

Hub

Glossary

Browse the full index for this topic.