Session Lifecycle: How Web Sessions Work
A session lifecycle covers the start, maintenance, and destruction of a user session.
Session Lifecycle
Every time you log into a website, a session is created to keep you authenticated as you navigate from page to page. Sessions have a beginning, a middle, and an end, and understanding each phase is essential for building secure web applications that protect user identity and data throughout the entire interaction.
What Is a Session
A session is a temporary, stateful conversation between a client and a server that persists across multiple HTTP requests. Because HTTP is a stateless protocol by design, each request is completely independent and the server has no built-in memory of previous interactions. Sessions are the mechanism web applications use to work around this limitation, maintaining continuity of user identity and context across an entire browsing experience.
When a session is created, the server stores user-specific data in a session record and assigns it a unique, unpredictable session ID. The server sends this ID to the browser as a cookie. On every subsequent request, the browser automatically includes the cookie, the server reads the ID, looks up the corresponding session record, and uses the stored data to understand who is making the request and what context they are operating in. The session data never leaves the server. The client holds only a reference to it.
Sessions are used for more than just authentication. Shopping carts in e-commerce applications, multi-step form progress, user preferences, and recently viewed content are all examples of state that can be stored in a session. Authentication is the most security-sensitive use case, which is why session management for logged-in users requires the most careful attention to security practices.
The Session Lifecycle
A session passes through a predictable sequence of phases from the moment a user logs in to the moment they log out or are automatically signed out. Understanding each phase helps you implement sessions correctly and identify where security controls need to be applied.
| Phase | What Happens | Where Data Lives | Security Action Required |
|---|---|---|---|
| 1. Session Creation | User submits valid credentials. Server verifies them, creates a session record containing the user's ID and role, and generates a cryptographically random session ID. | Session record created in server-side store (memory, database, or Redis) | Generate a new session ID to prevent session fixation. Use a cryptographically secure random generator. |
| 2. Session ID Delivery | Server sends the session ID to the browser in a Set-Cookie response header alongside the login response. | Session ID stored in browser cookie | Set HttpOnly, Secure, SameSite, and an appropriate Max-Age or Expires on the cookie. |
| 3. Session Persistence | On every subsequent request, the browser automatically sends the session cookie. The server reads the ID and looks up the session record to identify the user. | Client holds the cookie. Server holds the session data. | Validate that the session record exists and has not expired on every request to a protected resource. |
| 4. Session Update | The server updates session data as the user interacts, recording last activity time, cart contents, preferences, or any other state that needs to persist across requests. | Session record updated in server-side store | Reset the idle timeout timer on each update to keep active sessions alive while expiring inactive ones. |
| 5. Session Expiry | The session expires after an idle timeout period with no activity or after a maximum absolute lifetime, whichever comes first. The server marks the record as expired or deletes it. | Session record deleted or marked expired in server-side store | Enforce both idle timeouts and absolute timeouts. Do not allow sessions to persist indefinitely. |
| 6. Session Destruction | The user explicitly logs out. The server immediately deletes the session record. The browser cookie is cleared. Any future requests with the old session ID are treated as unauthenticated. | Cleared from both server store and browser cookie | Always delete the server-side record on logout, not just the cookie. Deleting only the cookie leaves a valid server-side session that an attacker who has the ID could still use. |
// Session creation on login
app.post('/login', async (req, res) => {
const user = await db.findUserByEmail(req.body.email);
const valid = await bcrypt.compare(req.body.password, user.passwordHash);
if (!valid) return res.status(401).json({ error: 'Invalid credentials' });
// Regenerate session ID to prevent session fixation
req.session.regenerate((err) => {
if (err) return res.status(500).json({ error: 'Session error' });
// Store user data in the session (server-side only)
req.session.userId = user.id;
req.session.role = user.role;
req.session.loginAt = Date.now();
res.json({ message: 'Logged in successfully' });
// Browser receives: Set-Cookie: connect.sid=s%3Aabc...; HttpOnly; Secure; SameSite=Lax
});
});
// Session validation on every protected request
app.get('/dashboard', (req, res) => {
if (!req.session.userId) {
return res.status(401).json({ error: 'Not authenticated' });
}
res.json({ userId: req.session.userId, role: req.session.role });
});
// Session destruction on logout
app.post('/logout', (req, res) => {
req.session.destroy((err) => {
res.clearCookie('connect.sid'); // Remove cookie from browser
res.json({ message: 'Logged out successfully' });
// The server-side session record is now deleted
// The old session ID cannot be used again
});
});Session Storage Options
The session store is where the server-side session data lives. The choice of session store has significant implications for performance, scalability, and resilience. Different applications have different requirements, and the right choice depends on your traffic volume, infrastructure, and how critical session data persistence is.
| Storage Type | Speed | Persistence | Multi-Server Support | Best For |
|---|---|---|---|---|
| Server Memory | Fastest. No network round-trip. | None. Sessions lost on restart or crash. | No. Each server instance has its own memory. | Development and single-server low-traffic applications only |
| Redis | Very fast. In-memory with optional persistence. | Configurable. Can persist to disk with RDB or AOF. | Yes. All server instances share one Redis store. | Production applications, high-traffic sites, multi-server deployments |
| Memcached | Very fast. Pure in-memory. | None. Data lost on restart. | Yes. Distributed across multiple nodes. | High-performance caching where session loss on restart is acceptable |
| SQL Database | Slower. Disk-based with query overhead. | Full. Survives restarts and failures. | Yes. All servers query the same database. | Applications already using a relational database that need session persistence without extra infrastructure |
| Encrypted Cookie | Fast. No server lookup required. | Client-side. Survives server restarts. | Yes. No server store at all. | Small amounts of non-sensitive session data in applications that want to avoid server-side session infrastructure |
Session Timeouts
Every session should have two types of timeout enforced independently. Using only one type leaves gaps that can be exploited or that create poor user experiences.
- Idle timeout (inactivity timeout): The session expires after a defined period of user inactivity. If no requests are made within the timeout window, the session is invalidated on the next request. Typical values are 15 to 30 minutes for sensitive applications such as banking and healthcare, and 30 to 60 minutes for general web applications. The idle timer is reset on every authenticated request.
- Absolute timeout (maximum session lifetime): The session expires after a fixed maximum duration regardless of activity. This prevents scenarios where a highly active user's session persists indefinitely, which could be exploited if the session ID is compromised. A common value is 8 to 24 hours. After the absolute timeout, the user must log in again even if they have been continuously active.
- Renewal on sensitive operations: For critical actions such as changing a password, updating payment information, or accessing sensitive data, requiring re-authentication regardless of session state is a common security pattern. This limits the damage if a session is hijacked by an attacker who gains brief access to a user's device.
Session Security Best Practices
- Regenerate the session ID after login: Always generate a new session ID when a user's privilege level increases, such as immediately after a successful login. If the session ID is not regenerated, an attacker who set a known session ID before the user logged in (session fixation attack) would inherit the authenticated session after login.
- Set HttpOnly and Secure on the session cookie: The HttpOnly attribute prevents JavaScript from reading the cookie, protecting the session ID from XSS-based theft. The Secure attribute ensures the cookie is only transmitted over HTTPS, preventing interception over unencrypted connections.
- Set SameSite on the session cookie: The SameSite=Lax attribute prevents the session cookie from being sent in cross-site requests initiated by third-party pages, which is the primary defence against CSRF attacks for session-based authentication.
- Enforce session timeouts: Set both an idle timeout and an absolute maximum lifetime. Do not allow sessions to exist indefinitely. Even for "Remember Me" functionality, use a separate long-lived token rather than an unlimited session duration.
- Destroy the server-side session on logout: Deleting only the client-side cookie on logout leaves the server-side session record intact. An attacker who obtained the session ID through any means could continue to use it until the server-side record expires naturally. Always explicitly delete the server-side record when a user logs out.
- Limit concurrent sessions: Consider invalidating existing sessions from other devices when a new login occurs, or providing users with visibility into active sessions and the ability to revoke them. This limits the damage from session theft by ensuring the legitimate user and attacker cannot both use the same account simultaneously.
- Bind sessions to additional context: Storing the user's IP address or user agent string at session creation and validating them on subsequent requests can detect session theft when the attacker has a different network location or browser. This adds friction for attackers but can also cause false positives for mobile users who change networks, so it should be applied with appropriate tolerance.
Frequently Asked Questions
- What is session hijacking?
Session hijacking is an attack where an attacker obtains a valid session ID and uses it to impersonate the authenticated user. Session IDs can be stolen through XSS attacks that read the cookie via JavaScript if HttpOnly is not set, through network interception on unencrypted connections if HTTPS is not enforced, through physical access to a user's device, or through cross-site request forgery that exploits the automatic cookie inclusion. Defences include HttpOnly and Secure cookie attributes, HTTPS enforcement, short session timeouts, and binding sessions to contextual signals like IP address. Regenerating session IDs after privilege changes prevents session fixation, which is related but distinct. - What is session fixation?
Session fixation is an attack where the attacker sets or predicts the session ID before the user logs in and then waits for the user to authenticate with that known ID. If the server does not generate a new session ID after login, the attacker who set the original ID now holds a valid authenticated session ID. The defence is straightforward and absolute: always call the session regeneration function immediately after a successful login, replacing the pre-login session ID with a new, freshly generated one. The user's pre-login session data such as an anonymous shopping cart can be migrated to the new session before the old one is discarded. - How does Remember Me functionality work with sessions?
Remember Me is typically implemented separately from the regular session mechanism rather than by simply extending the session lifetime. At login, the server generates a separate long-lived persistent token, stores a hashed version of it in the database associated with the user, and sets it as a long-lived cookie. When the user returns without an active session, the server finds the persistent token cookie, looks up the hashed value in the database, and if it matches, creates a fresh short-lived session for the user. The persistent token itself is rotated on each use, and it can be revoked by deleting its database record when the user explicitly logs out from all devices. - What happens to sessions in a load-balanced multi-server environment?
If sessions are stored in server memory, a load balancer routing requests to different server instances will cause session loss for most requests because each server only knows about the sessions it created. The standard solutions are sticky sessions, where the load balancer routes all requests from a given client to the same server, or a shared external session store. Sticky sessions are simpler but reduce load balancing effectiveness and create problems when servers go down. A shared Redis session store allows any server instance to look up any session, making session management fully independent of which server handles each request. Redis is the industry standard for this use case. - Should I store sensitive data in a session?
Session data stored server-side is more secure than data stored in cookies or tokens because it never leaves the server. However, you should still be thoughtful about what you store. Storing a user's ID and role in a session is appropriate and normal. Storing passwords, payment card numbers, or full sensitive personal data in a session is unnecessary and increases the impact of a session store compromise. Store the minimum data needed to identify and authorise the user. For sensitive operations, retrieve fresh data from the database rather than relying on cached session data that may be stale. The session is a reference mechanism, not a data cache for sensitive records.
Conclusion
Sessions bridge the fundamental gap between HTTP's statelessness and the continuous authenticated experience users expect from modern web applications. Every login, every page navigation, and every logout is a phase in the session lifecycle, each requiring its own security controls applied correctly. Regenerating session IDs after login prevents fixation attacks. HttpOnly and Secure cookie attributes protect the session ID from theft. Server-side session deletion on logout ensures complete termination. Idle and absolute timeouts limit the exposure window for compromised sessions. A shared external session store like Redis enables reliable session management at scale across multiple servers. Getting these fundamentals right is a baseline responsibility for every developer building authenticated web applications. Continue with cookies vs sessions, cookie security attributes, and session vs token authentication to build a complete understanding of web authentication and session management.