1. Sessions

• A session = a way to maintain state between client & server (HTTP is stateless).
• When you log in, the server creates a session ID and sends it to your browser as a cookie.
• Browser sends this cookie on every request → server matches it with session storage.

📌 Example:

Set-Cookie: sessionid=abc123; HttpOnly; Secure

🔴 Pentesting Risks

• Session hijacking → steal cookie, reuse it.
• Session fixation → attacker sets a known session ID before login.
• Weak/guessable IDs → brute force session tokens.
• No timeout → sessions stay alive forever.

2. Tokens vs Sessions

• Instead of server-stored sessions, tokens are stateless:
  • Server issues a token (like JWT) after login.
  • Token itself contains user data/claims.
  • Server only validates signature → no DB lookup needed.

✅ Advantage → scalable for APIs and microservices.

3. JSON Web Tokens (JWT)

• Most popular token format (used in APIs).

• Structure:

  header.payload.signature
  

  Example:

  eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwiYWRtaW4iOnRydWV9.signature