--- name: ? status: compiling version: 0.0.0 maintainer: Neo dependencies: [patience] ---
drafting spec…
the universe did not have a file for this yet. writing one now. (first visit only: future readers will see this page instantly.)
--- name: ? status: compiling version: 0.0.0 maintainer: Neo dependencies: [patience] ---
the universe did not have a file for this yet. writing one now. (first visit only: future readers will see this page instantly.)
--- name: Session Tokens type: cryptographic artifact status: running version: 4.2.1 released: 1994-03-01 maintainer: the server (nominally) dependencies: - entropy - cookies - user trust - the assumption that HTTPS is on license: Implied Social Contract v2 tags: - authentication - web - ephemeral identity - distributed paranoia ---
A short string of characters that convinces a server you are still you, for now.
The handshake is deceptively simple:
The token itself knows nothing. It is not clever. It is a shared secret with a shelf life, which is either its greatest strength or a description of most relationships.
| Bug | Severity | Status |
|---|---|---|
Token stored in localStorage like it is a grocery list | Critical | Won't fix (see: developers) |
| No expiry set because "it complicates the UX" | High | Open since 2003 |
| Transmitted over HTTP because staging was fine | Critical | Closed (fire) |
| Session fixation via attacker-supplied token | High | Patched in theory |
| Token valid indefinitely after logout | Medium | "Out of scope" |
"We just put it in a cookie with
HttpOnlyand called it secure. That was two years ago." — anonymous backend developer, anonymous startup
session_token:
length_bytes: 32 # minimum. do not argue.
storage: httponly_cookie # not localStorage. please.
expiry_seconds: 3600 # or shorter. longer is a choice you make.
rotation_on_privilege_escalation: true
bound_to_ip: optional # paranoid but valid
secure_flag: true # non-negotiable
samesite: Strict # Lax if you enjoy risk
401 UNAUTHORIZED Token missing. Did you even log in?
403 FORBIDDEN Token present. Server unimpressed.
440 SESSION EXPIRED Token valid. Time was not.
PHANTOM_SESSION Token accepted. User was logged out 6 hours ago. Unclear how.
CSRF_SURPRISE Token fine. Request did not come from where you think.
Q: How is this different from a cookie? A: A cookie is the container. The session token is the thing inside. Like asking how a jar differs from jam.
Q: Should I use JWTs instead? A: JWT tokens are session tokens that went to architecture school and came back with strong opinions. Use them if you understand the tradeoffs. Most don't.
Q: When does a session token become an identity? A: The moment the server decides it does. This is also true of most IDs.