Session

HTTP 1.1 is stateless.

Cookies are used to keep the session.

When user logins successfuly, an identifer(session ID) is put in the Set-Cookie header, with HttpOnly set, so that the JavaScript runtime can access it.

The browser will bring that identifier in the Cookie header in every subsequent requests.

The server then uses the identifier to look up the corresponding user information, like user name, role and permissions, usually from cache or database.

This allows the server to track the user's actions and provide a personalized experience.

Signed Cookie

Every time the server receives a request it has to make a database query, to lookup the user information. This will be problematic when there are huge traffics.

Use a fast key-value store might be a solution. Another one is to store the user information in cookie, that will solve the scaling problem permenently.

Only one problem, what if the user modified the cookie? The user can pretent to be anyone, or grant self any perssions.

To adress this problem, we need to signed the cookie, so that server can check whether the cookie is tempered.

Signing is not encrypting, so no sensitive content should be put in cookie. The use can see the content, but any modification to it will be detected by the server.