Session auth depends on a Session ID. This is used to verify the requests the user makes after this point in time.
- User logs in
- Session ID is created on the server.
- The Session ID is linked to the user’s account in the database.
Advantages of session auth (e. g. over Cookie Auth):
- Based on the session table in the DB, server knows who is logged in
- Session invalidation is easy
Cons:
- Session hijacking as a security issue
- Session fixation: Attacker takes control of user session after the user logs in. Therefore, on each new login, a new session should be created.
- Separate storage for sessions is necessary. When having multiple databases or services this can grow more complex
Example
As session auth API should implement the following functions:
export function generateSessionToken(): string {
}
export async function createSession(token: string, userId: number): Promise<Session> {
}
export async function validateSessionToken(token: string): Promise<SessionValidationResult> {
}
export async function invalidateSession(sessionId: string): Promise<void> {
}