
---

# 🍪 Sessions & CSRF — Best Practices

> **Intent** → Secure browser-based flows using **server-managed sessions** and protect against **CSRF attacks**.

---

## 🎯 Sessions

* Store only a **session ID** in the cookie, not user data
* Map session ID → user context in server/db/cache
* Mark cookies as **HttpOnly**, **Secure**, **SameSite**
* Keep sessions **short-lived**; rotate IDs after login

---

## ⚠️ CSRF (Cross-Site Request Forgery)

* Attacker tricks browser into sending **authenticated requests**
* Risk: state-changing ops (POST/PUT/DELETE) with stolen cookies

---

## 🔐 CSRF Protections

* Use **SameSite=Lax/Strict** cookies (limits cross-site sending)
* Include **CSRF tokens** in forms/headers → must match server
* For APIs → prefer **Bearer tokens** over cookie auth for APIs used by SPAs/mobile

---

## 🧪 Additional Hardening

* Re-authenticate for **sensitive actions** (e.g., password change)
* Rate-limit login/session endpoints
* Monitor and revoke suspicious sessions quickly

---

## 🏁 Outcome

Browser-based auth stays **safe**:

* **Sessions** = lightweight, secure cookie IDs
* **CSRF defense** = SameSite + tokens
* Result = **protected, user-friendly web flows**

---
