A session token is a unique identifier used to associate a client with a server-side session. It is typically stored in a cookie or sent as a header. The token maps to session data stored in memory, a database, or a distributed cache. Unlike JWTs, session tokens require server-side storage of session state.
Why it matters
Session tokens power authentication systems while maintaining server-side control over session data. They enable logout functionality, short-lived sessions, and invalidation without modifying the client.
Examples
A secure, HttpOnly cookie containing a random session ID used to maintain login status. Lessons like What Are Sessions? cover these flows.