What is Session?
Turkish: Oturum
A session links a user's identity and temporary state across requests in a web application, using server-side or client-side storage.
What is a Session?
A session lets a web application remember that a user is logged in, has a cart, or has selected certain preferences even though HTTP itself is stateless. The server sees each request independently; the session mechanism connects those requests to the same user context.
In the classic model, the server creates a session ID, sends that ID to the browser as a cookie, and stores the actual session data on the server. Later requests send the cookie back, allowing the server to find the matching user and state.
How Is It Managed?
- Session ID: Must be random, unpredictable, and long enough.
- Cookie settings:
HttpOnly,Secure, andSameSiteflags should be used. - Expiration: Sessions should end after inactivity or a maximum lifetime.
- Server store: Memory, Redis, a database, or a managed session store may be used.
- Rotation: Regenerating the session ID after login reduces session fixation risk.
Business Use
Sessions are used in e-commerce carts, admin panels, banking flows, and B2B customer portals where identity matters. In load-balanced systems, keeping session data on one server can become a problem, so teams often choose a central store or a stateless token model.
A cookie-based session and a JWT-based identity model carry different risks. Secure design should account for session theft, CSRF, shared devices, and session renewal after permission changes.
Related Terms
A cookie is a small browser-stored value tied to a domain, used for sessions, preferences, consent, and limited tracking.
JWT (JSON Web Token)JWT is a signed and encoded JSON-based token standard used to carry verifiable claims between APIs, clients, and services.
Web StorageWeb Storage stores small key-value data in the browser through localStorage and sessionStorage for client-side state.