Skip to content

Session-Based Authentication — Complete Server-Side Guide

DodaTech Updated 2026-06-28 2 min read

In this tutorial, you will learn about Session. We cover key concepts, practical examples, and best practices to help you master this topic.

Session-based authentication creates a server-side session object when a user logs in and returns a session ID via a cookie. The server looks up the session on each request.

What You'll Learn

You'll learn how session-based auth works, how to implement it securely, and when to choose it over stateless alternatives.

Why It Matters

Session auth provides immediate revocation (delete the session) and works with traditional server-rendered applications. It remains widely used in legacy and enterprise systems.

Real-World Use

A Django-based CMS uses session auth with Redis-backed session storage. When an admin revokes a user, the session is deleted from Redis, immediately logging them out across all devices.

sequenceDiagram
    participant Client
    participant Server
    participant DB as Session Store
    Client->>Server: POST /login (credentials)
    Server->>DB: Create session
    DB-->>Server: session_id
    Server->>Client: Set-Cookie: session_id=abc123
    Client->>Server: GET /dashboard (Cookie: session_id=abc123)
    Server->>DB: Lookup session
    DB-->>Server: User data
    Server->>Client: Dashboard HTML

Teacher's Mindset

Session auth is like a coat check. You give your coat (credentials) to the attendant, they give you a ticket (session ID), and you present the ticket each time you want your coat back.

Implementation

from flask import Flask, session, request, jsonify
import redis
import uuid

app = Flask(__name__)
app.secret_key = "your-secret-key"
redis_client = redis.Redis(host="localhost", port=6379, db=0)

@app.route("/api/login", methods=["POST"])
def login():
    data = request.json
    if data["username"] == "admin" and data["password"] == "secret":
        session_id = str(uuid.uuid4())
        redis_client.setex(
            f"session:{session_id}",
            3600,
            jsonify({"user_id": 1, "role": "admin"}).data
        )
        response = jsonify({"message": "Logged in"})
        response.set_cookie("session_id", session_id, httponly=True, secure=True)
        return response
    return jsonify({"error": "Invalid credentials"}), 401
@app.route("/api/protected")
def protected():
    session_id = request.cookies.get("session_id")
    if not session_id:
        return jsonify({"error": "Not authenticated"}), 401
    session_data = redis_client.get(f"session:{session_id}")
    if not session_data:
        return jsonify({"error": "Session expired"}), 401
    return jsonify({"message": "Access granted"})

@app.route("/api/logout")
def logout():
    session_id = request.cookies.get("session_id")
    if session_id:
        redis_client.delete(f"session:{session_id}")
    return jsonify({"message": "Logged out"})

Common Mistakes

Mistake Fix
Storing sessions in local files (not scalable) Use Redis or Memcached
Not setting HttpOnly cookie flag Set httponly=True
No session expiration Set appropriate session TTL
Predictable session IDs Use UUID v4 or crypto-random
Sessions survive logout Delete session on logout

Practice Questions

  1. How does session auth differ from JWT?
  2. Why is session revocation immediate?
  3. What is session fixation and how do you prevent it?
  4. Why should sessions be stored in Redis, not local memory?
  5. How do you handle sessions across multiple servers?

Challenge

Implement session-based auth with Redis. Support login, logout, protected route, and session expiry. Test that revoked sessions immediately deny access.

What's Next

Learn about token-based authentication for stateless, scalable APIs.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro