SIMPLE, SECURE AND EFFICIENT SESSIONS

Session Management

Easy authentication is the first step. Creating and managing sessions in a secure and simple ways comes after. Let Corbado handle it for you.

  • Simple to implement

  • Secure

  • Central & JWT-based

Start for freeDocumentation
Cookie image

COMBINE EFFICIENCY OF JWTS WITH THE SECURITY OF CENTRAL SESSIONS

Corbado's session management approach

Our session management integrates two distinct yet complementary approaches: short-term and long-term sessions. Both are implemented as cookies and blend to a highly secure and user-friendly solution.

Short-term sessions with JSON Web Tokens (JWTS)

Our short-term sessions utilize JSON Web Tokens (JWTs). These JWTs help confirm resource requests within your application swiftly and efficiently. Moreover, the lifespan of these short-term sessions is adjustable, enhancing overall security.
Typical lifetime: rather short, e.g. 5-60 mins.
Benefits: Fast client-side verification, additional user information obtainable through JWT claims

Long-term sessions for central session management

For maintaining users authenticated for a longer time, we use central long-term sessions, represented by unique session IDs linked to a database entry. These session IDs refresh the short-term sessions as needed, providing a persistent, secure user experience.
Typical lifetime: rather long, e.g. 1-30 days
Benefits: Comprehensive user, session and device overview, convenient session revocation

BENEFITS OF SESSION MANAGEMENT

Security by simplicity.

Shield Icon

Greater security

Combination of short- and longer-term sessions to leverage extra security levels.

Lightning Icon

Fast verification

Short-term sessions can be verified in milliseconds through standard JWT verification.

Touch Icon

Superior control

Long-term sessions can be revoked, providing superior control.

ENHANCE YOUR USERS' SECURITY BY VERIFYING THEIR STATUS

Protecting routes

If certain routes in your application are only accessible to authenticated users, it is essential to protect them by verifying the user's authentication status. The approach for this may vary depending on the overall setup of your application.

Frontend

Backend

Session received via

Regular web app (no SPA)

e.g. Vanilla HTML / CSS / JS

e.g. Node.js / PHP Symfony

Cookie

SPA with Frontend & Backend on same host

e.g. Vue.js / React / Angular

e.g. Node.js / PHP Symfony

Cookie

SPA with Frontend & Backend on different host

e.g. Vue.js / React / Angular

e.g. Node.js / PHP Symfony

Cookie

Multiple Backends (microservice architecture)

e.g. Vue.js / React / Angular

e.g. Node.js / PHP Symfony

HTTP authorization header (bearer token)

Try Corbado now!

Add passkeys to your app in <1 hour.

Start for free

No credit card required

Free community plan

For new & existing apps