Session Token
What is Session Token?
Session TokenOpaque identifier issued after authentication that the client returns with each request, letting the server look up the user's session state.
A session token is the credential that keeps a user logged in across HTTP requests. Most commonly it is a cryptographically random string stored on the server side (in a database, cache, or signed cookie) and sent to the browser as a cookie marked Secure, HttpOnly, and SameSite. The server uses it as a key into session storage holding the user ID, roles, and metadata. Strong session tokens have high entropy, are regenerated on login and privilege change, have idle and absolute timeouts, and are invalidated server-side at logout. Common attacks include session fixation, session hijacking, predictable IDs, and missing logout.
● Examples
- 01
Set-Cookie: SESSIONID=Z6r...; Secure; HttpOnly; SameSite=Lax
- 02
Regenerating the session ID immediately after a successful login to prevent fixation.
● Frequently asked questions
What is Session Token?
Opaque identifier issued after authentication that the client returns with each request, letting the server look up the user's session state. It belongs to the Identity & Access category of cybersecurity.
What does Session Token mean?
Opaque identifier issued after authentication that the client returns with each request, letting the server look up the user's session state.
How does Session Token work?
A session token is the credential that keeps a user logged in across HTTP requests. Most commonly it is a cryptographically random string stored on the server side (in a database, cache, or signed cookie) and sent to the browser as a cookie marked Secure, HttpOnly, and SameSite. The server uses it as a key into session storage holding the user ID, roles, and metadata. Strong session tokens have high entropy, are regenerated on login and privilege change, have idle and absolute timeouts, and are invalidated server-side at logout. Common attacks include session fixation, session hijacking, predictable IDs, and missing logout.
How do you defend against Session Token?
Defences for Session Token typically combine technical controls and operational practices, as detailed in the full definition above.
● Related terms
- identity-access№ 1018
Session Management
The set of controls that issue, maintain, refresh, and revoke an authenticated session, binding a user's identity to subsequent requests until logout or expiration.
- attacks№ 1016
Session Hijacking
An attack that takes over a victim's authenticated session by stealing or forging the session identifier so the attacker can act as the user without their credentials.
- appsec№ 1015
Session Fixation
An attack in which the adversary plants a known session identifier in the victim's browser before login, so it remains valid for the attacker after authentication.
- appsec№ 983
Secure Cookie Flag
A cookie attribute that tells the browser to send the cookie only over HTTPS, preventing exposure in cleartext on the network.
- appsec№ 500
HttpOnly Cookie Flag
A cookie attribute that hides the cookie from JavaScript by forbidding access via 'document.cookie', limiting session theft when XSS is exploited.
- appsec№ 961
SameSite Cookie
A cookie attribute that controls whether browsers attach the cookie on cross-site requests, with values Strict, Lax and None, used primarily to mitigate CSRF.
● See also
- № 256CSRF Token