This page provides an overview of the Corbado Session Management.
The following documentation provides a detailed explanation of Corbado session management. If you already have a session management in place that you want to keep or want to use another session management solution, please check the “Own session management” section.
After successful user authentication, Corbado creates a session. A session represents a logical connection between a user and the application, spanning multiple requests and responses.
Corbado employs a combination of technologies for its session management, ensuring a highly secure and user-friendly solution.
Upon creating a session, Corbado records an entry in its session database. This entry is used for managing the status and lifetime of the session.
Additionally, it allows us to display all sessions in the developer panel and revoke them when needed.
Besides creating a session entry in the database, Corbado also generates a session-token.
The session-token is implemented through the usage of JSON Web Tokens (JWT). It is passed within your application and serves as a means to verify user authentication (refer to the Protecting routes section for more details).
If session refresh is enabled, the session-token has a limited lifespan, ensuring enhanced security.
The session-token is stored as a cookie by the Corbado UI component (with the name cbo_session_token
, refer to Cookie Security for more details).
To enhance the security of the refresh mechanism (if enabled), a second token is generated: the refresh-token.
Everytime a session-token is refreshed (generating a new one) the refresh-token is needed.
The refresh-token is stored as a cookie by the Frontend API (with the name cbo_refresh_token
, refer to Cookie Security for more details).
cbo_long_session
for backward compatibility.Implementing session management like this offers the following advantages:
Please refer to our security section for a comprehensive understanding of the security advantages offered by our session design.
If you’re interested in understanding how Corbado compares to OAuth2, please refer to our OAuth2 comparison section.
Next, it is essential to protect your routes (both frontend and backend) by checking if a user is authenticated and take appropriate actions accordingly.
This page provides an overview of the Corbado Session Management.
The following documentation provides a detailed explanation of Corbado session management. If you already have a session management in place that you want to keep or want to use another session management solution, please check the “Own session management” section.
After successful user authentication, Corbado creates a session. A session represents a logical connection between a user and the application, spanning multiple requests and responses.
Corbado employs a combination of technologies for its session management, ensuring a highly secure and user-friendly solution.
Upon creating a session, Corbado records an entry in its session database. This entry is used for managing the status and lifetime of the session.
Additionally, it allows us to display all sessions in the developer panel and revoke them when needed.
Besides creating a session entry in the database, Corbado also generates a session-token.
The session-token is implemented through the usage of JSON Web Tokens (JWT). It is passed within your application and serves as a means to verify user authentication (refer to the Protecting routes section for more details).
If session refresh is enabled, the session-token has a limited lifespan, ensuring enhanced security.
The session-token is stored as a cookie by the Corbado UI component (with the name cbo_session_token
, refer to Cookie Security for more details).
To enhance the security of the refresh mechanism (if enabled), a second token is generated: the refresh-token.
Everytime a session-token is refreshed (generating a new one) the refresh-token is needed.
The refresh-token is stored as a cookie by the Frontend API (with the name cbo_refresh_token
, refer to Cookie Security for more details).
cbo_long_session
for backward compatibility.Implementing session management like this offers the following advantages:
Please refer to our security section for a comprehensive understanding of the security advantages offered by our session design.
If you’re interested in understanding how Corbado compares to OAuth2, please refer to our OAuth2 comparison section.
Next, it is essential to protect your routes (both frontend and backend) by checking if a user is authenticated and take appropriate actions accordingly.