This approach uses a cookie session on the koa side, after which any front end request will include the session cookie on every request. The elegancy of this method is that you don't have to make the front end aware of the session id. Security wise the session cookie is HTTP Only, which makes it impossible for front end scripts to access the cookie in the first place.
Original question found here on StackOverflow.