Sessions, Cookies, and JWTs

Last reviewed Jun 1, 2026 Content v20260601

Track mode

none

Means

Read / quiz

Reading

~1 min

Level

intermediate

This lesson

This lesson teaches Sessions, Cookies, and JWTs: security mindset, common threats, and defensive practices for software teams.

Account takeover is the most common breach path—authn/z design is security-critical.

You will apply Sessions, Cookies, and JWTs in contexts like: SaaS login, mobile tokens, and workforce SSO portals.

Read scenario-based lessons, map controls to code you write on other tracks, and complete MCQs—practice threat modeling on paper or in docs.

When you can explain the previous lesson's ideas in your own words.

After login, apps track state via server sessions or signed tokens (JWT)—each has trade-offs.

Secure cookie flags

HttpOnly — JavaScript cannot read (mitigates XSS theft)
Secure — HTTPS only
SameSite=Lax/Strict — reduces CSRF cookie delivery

JWT cautions

JWTs are signed, not encrypted by default—do not put secrets in payload. Short expiry + refresh rotation; revoke on logout is harder than server sessions.

Important interview questions and answers

Q: HttpOnly?
A: Prevents document.cookie access from XSS scripts.
Q: JWT in localStorage?
A: Often discouraged—XSS can exfiltrate; HttpOnly cookie is safer for web.

Self-check

Name three secure cookie attributes.
JWT signed vs encrypted?

Pitfall: Long-lived JWT in localStorage—prefer HttpOnly session cookies for web.

Interview prep

HttpOnly?: Cookie not readable by JavaScript—helps vs XSS theft.

Discussion

Past discussion is visible to everyone. Only logged-in users can post comments and replies.

Starter discussion topics

HttpOnly why?
JWT secret in payload?

No discussion yet. Be the first to ask a question.