Web Foundations & Databases · beginner · ~11 min
Explain how stateless HTTP tracks logged-in users and the flags that protect session cookies.
HTTP is stateless; cookies carry a session ID that the server maps to your identity — so the session cookie is a credential. Protect it with HttpOnly/Secure/SameSite. localStorage is JS-readable (XSS-exposed); bearer tokens follow the same "holder = user" rule.
Session cookies and tokens are credentials, so their handling is central to web testing: missing HttpOnly/Secure/SameSite flags, tokens in localStorage, and session-fixation/hijacking are recurring findings.
Stateless HTTP + session ID. Cookie maps to server-side session. Cookie = credential. Stealing it impersonates the user. Flags. HttpOnly (anti-XSS-theft), Secure (HTTPS-only), SameSite (anti-CSRF). localStorage. JS-readable → XSS-exposed. Bearer tokens. Holder is the user.
HTTP is stateless — each request is independent. So how does a site remember you're logged in? Cookies.
After login, the server sends a Set-Cookie with a session identifier; the browser returns it on every subsequent request. The server maps that ID to your session (who you are, your privileges). The session cookie is effectively your temporary password — stealing it = impersonating you (session hijacking).
Some apps use bearer tokens (e.g. JWT) instead of session cookies, sent in an Authorization header. Same rule: whoever holds the token is the user.
Cookies give stateless HTTP memory by carrying a session ID that is effectively a credential; HttpOnly/Secure/SameSite protect it, while localStorage-stored tokens are XSS-exposed. Credential handling is a core audit area.