Stateful authentication mechanism:

• Stateful backend
  • Shared session storage required
  • Tight coupling between request & server memory
  • Hard to horizontal scaling
• Easy to revoke (can based on idle)
• High CSRF risk

Flow

1. Client → Login (credentials)

2. Server → Validate credentials

3. Server → Create a session (and store)

4. Server → Return session ID (almost always use cookies)

5. Client → Store session ID (auto at cookie)

6. Client → Send cookie (session ID) on every request

7. Server → Look up session

8. Access granted

9. When log out, must delete session and clear cookie (regenerate new session in new login)

   // to avoid attacker get the old session and use again