What is Session?

Turkish: Oturum

A session links a user's identity and temporary state across requests in a web application, using server-side or client-side storage.

What is a Session?

A session lets a web application remember that a user is logged in, has a cart, or has selected certain preferences even though HTTP itself is stateless. The server sees each request independently; the session mechanism connects those requests to the same user context.

In the classic model, the server creates a session ID, sends that ID to the browser as a cookie, and stores the actual session data on the server. Later requests send the cookie back, allowing the server to find the matching user and state.

How Is It Managed?

  • Session ID: Must be random, unpredictable, and long enough.
  • Cookie settings: HttpOnly, Secure, and SameSite flags should be used.
  • Expiration: Sessions should end after inactivity or a maximum lifetime.
  • Server store: Memory, Redis, a database, or a managed session store may be used.
  • Rotation: Regenerating the session ID after login reduces session fixation risk.

Business Use

Sessions are used in e-commerce carts, admin panels, banking flows, and B2B customer portals where identity matters. In load-balanced systems, keeping session data on one server can become a problem, so teams often choose a central store or a stateless token model.

A cookie-based session and a JWT-based identity model carry different risks. Secure design should account for session theft, CSRF, shared devices, and session renewal after permission changes.