Question 1

What is the difference between server-side sessions and JWT tokens?

Accepted Answer

Server-side sessions: on login, generate a random session ID (e.g., 32-byte hex string), store session data (user_id, roles, permissions) in Redis with TTL. Send the session ID as a cookie. On each request, look up Redis to get the session data. Advantages: instant revocation (delete the Redis key), session data can be large (stays on server), sensitive data never leaves the server. Disadvantages: Redis is in the hot path of every request; Redis is a dependency that must be highly available. JWT (JSON Web Token): session data is encoded in the token itself and signed (not encrypted). No server-side storage needed. On each request, verify the signature using the secret key — no DB or Redis lookup. Advantages: stateless, horizontally scales without a shared session store. Disadvantages: revocation is hard (token is valid until expiry); keep expiry short (15-60 minutes) and use refresh tokens for longer sessions. Never put sensitive data in JWT payload (it is base64-encoded, not encrypted).

Question 2

How does the refresh token pattern work?

Accepted Answer

Short-lived JWT access tokens (15-60 minutes) + long-lived refresh tokens (7-30 days). Access token: used in the Authorization header for every API call. Stateless verification (no DB lookup). Expires quickly, limiting the window if stolen. Refresh token: an opaque random token stored in an HttpOnly cookie. Used only to request a new access token from the auth endpoint. Stored server-side (Redis or DB) — can be revoked. On logout: delete the refresh token from the server. On access token expiry: client sends refresh token → server validates it in Redis → issues new access token (and optionally rotates the refresh token). Refresh token rotation: each use of the refresh token issues a new one and invalidates the old. If an attacker steals a refresh token and uses it, the legitimate user's next use will be rejected (the old token is gone) — this detects theft. Rotate refresh tokens on every use for high-security applications.

Question 3

How do you implement concurrent session management (max N devices)?

Accepted Answer

Track all active sessions per user: store a sorted set in Redis: ZADD user_sessions:{user_id} {created_at_epoch} {session_id}. On new login: ZADD the new session_id. ZCARD to count current sessions. If count > max_sessions: ZRANGE user_sessions:{user_id} 0 0 to get the oldest session_id. Delete it: DEL session:{oldest_session_id}. ZREM user_sessions:{user_id} {oldest_session_id}. The evicted session is invalidated immediately. Show users their active sessions (device, last IP, last active time) in account settings so they can revoke suspicious sessions. On logout: DEL session:{session_id}, ZREM user_sessions:{user_id} {session_id}. On "logout all devices": SMEMBERS → delete each session → delete the set.

Question 4

What cookie security attributes prevent session hijacking and CSRF?

Accepted Answer

HttpOnly: the cookie is not accessible via JavaScript (document.cookie). Prevents XSS attacks from stealing the session cookie — even if an attacker injects malicious JS, they cannot read the session cookie. Secure: the cookie is only sent over HTTPS connections. Prevents session ID interception on HTTP (man-in-the-middle attacks). SameSite=Strict: the cookie is not sent in cross-site requests. Prevents CSRF (Cross-Site Request Forgery): a malicious website cannot trick the user's browser into making authenticated requests to your API. SameSite=Lax allows the cookie for same-site navigation (GET requests) — use when cross-site navigation is needed (e.g., OAuth redirects). SameSite=None requires Secure=true. Set all three: HttpOnly; Secure; SameSite=Strict. Additionally: set a short TTL (30-60 minutes idle timeout, extend on activity), regenerate the session ID after login to prevent session fixation, and bind the session to IP/User-Agent for high-security applications (note: this breaks for mobile users).

Question 5

How do you handle session expiry and idle timeout?

Accepted Answer

Two types of session expiry: (1) Absolute expiry: the session expires at a fixed time after creation, regardless of activity. Example: 8-hour session expires at 5pm even if the user is active. Used for compliance (banking: sessions must expire after N hours). (2) Idle timeout: the session expires after N minutes of inactivity. Refreshed on every authenticated request. Used for security (lock out inactive users). Implementation in Redis: idle timeout = EXPIRE with a rolling TTL. On each request: GET session:{session_id} (resets if using GETEX, or manually EXPIRE session:{session_id} 1800 after each access). Absolute expiry: store expires_at in the session data. On each request: check if datetime.now() > session.expires_at; if yes, delete session and redirect to login. Combine both: absolute_expiry from session data + Redis TTL for idle timeout. Redis TTL handles idle cleanup automatically; absolute expiry is checked in application code.

Session Management System Low-Level Design

What is Session Management?

Server-Side Sessions (Redis)

JWT (JSON Web Tokens) — Stateless Sessions

Refresh Token Pattern

Concurrent Session Management

Security Hardening

Key Design Decisions