Session Management

Session management handles the lifecycle of a user's authenticated state — from login to logout — across stateless HTTP requests. Implementations typically use server-side sessions with cookies or stateless JWT tokens. Secure session management requires HTTP-only and secure cookie flags, session expiration and renewal, protection against session fixation and hijacking, and proper invalidation on logout. AI-generated authentication code commonly creates sessions that never expire, stores session tokens in localStorage (vulnerable to XSS), or fails to invalidate sessions on the server when a user logs out — meaning a stolen token remains valid indefinitely.