What Is a Session Cookie? Keeping You Logged In
A session cookie is a small value stored in the browser that identifies a logged-in user across requests, so they do not re-authenticate on every page.
A session cookie is what keeps you logged in as you click around a web app. After you authenticate, the server issues a session identifier stored in a cookie; the browser sends it with each request so the server knows who you are. Because that cookie effectively is your session, protecting it is central to web security, including for the dashboards your team uses.
How session cookies work
On login, the server creates a session and returns an identifier in a cookie. The browser attaches that cookie to every subsequent request to the site. The server looks up the session and treats the request as authenticated, no re-login required.
Securing the cookie
- HttpOnly: blocks JavaScript from reading the cookie, limiting theft via XSS.
- Secure: sends the cookie only over HTTPS.
- SameSite: limits cross-site sending, reducing CSRF risk.
Why theft is dangerous
Whoever holds a valid session cookie is effectively logged in as that user. Stealing one, through cross-site scripting or an insecure connection, lets an attacker impersonate the victim. That is why the protective flags above are essential.
Session lifetime and rotation
Sessions should expire after inactivity and be invalidated on logout. Rotating the session identifier after login (and on privilege changes) prevents fixation attacks, where an attacker plants a known session ID before the victim authenticates.
Session cookies and CI/CD
If you build web apps, correct cookie flags and session handling are part of secure coding. CI security checks and reviews should confirm HttpOnly, Secure, and SameSite are set, since a missing flag is an easy, common vulnerability.
Cookies versus tokens
Session cookies handle human, browser-based sessions. They are distinct from the bearer tokens pipelines use for machine-to-machine access. A session cookie is for people in a browser; an access token is for automation calling an API.
Key takeaways
- A session cookie identifies a logged-in user across requests in a browser.
- HttpOnly, Secure, and SameSite flags defend against theft and cross-site abuse.
- Sessions should expire, rotate on login, and invalidate on logout.