The following documentation provides a detailed explanation of Corbado session management. If you already have a session management in place that you want to keep or want to use another session management solution, please check the "Own session management" section.
After successful user authentication, Corbado creates a session. A session represents a logical connection between a user and the application, spanning multiple requests and responses.
Corbado employs a combination of technologies for its session management, ensuring a highly secure and user-friendly solution.
On the one hand, Corbado offers a short-term session, implemented through the usage of JSON Web Tokens (JWTs). This short-term session (represented as JWT) is passed within your application and serves as a means to verify user authentication (refer to the Protecting routes section for more details). As implied by its name, the short-term session (represented as JWT) has a limited lifespan (configurable), ensuring enhanced security.
The technical name of the short-term session (represented as JWT) cookie is
On the other hand, Corbado provides a long-term session that utilizes an opaque string as a session ID. This session ID is associated with a corresponding entry in the Corbado database. The long-term session (represented as session ID with database entry) serves the purpose of refreshing the short-term session (represented as JWT) as needed (refer to the Refresh section for more details).
The technical name of the long-term session (represented as session ID with database entry) cookie is
Implementing session management like this offers the following advantages:
- Short-term sessions (represented as JWT) can be verified client-side in less than 1ms through standard JWT verification
- Long-term sessions (represented as session ID with database entry) can be listed and inspected in the developer panel, providing a comprehensive overview of users currently logged in and the devices they are using