| > Is the cookie's value mapped to some in-memory entry in the application server, is it stored in a database, etc? Neither. At login the server signs the new session cookie with a secret application key. Later, when a client requests a page and sends over the session cookie, the server verifies the signature. If it matches, the data in the session cookie -- which usually includes the username, whether they're logged in, and for how long -- can be trusted. This is nice because it makes scaling a stateful site easier. Server-side session stores often become the bottleneck. Also, from a REST standpoint, updating a session database during a GET request (eg to freshen the session) is problematic. ASP.net was the first time I remember seeing the signed session cookie trick, but most web frameworks have it now: django -- https://docs.djangoproject.com/en/dev/topics/http/sessions/#... rails -- http://guides.rubyonrails.org/security.html#session-storage flask -- http://flask.pocoo.org/docs/api/#sessions node -- https://github.com/mozilla/node-client-sessions mojolicious -- http://toroid.org/ams/etc/mojolicious-session-cookies |