Session Token

A server-generated opaque identifier, typically stored in a Set-Cookie header, that maps to server-side session data such as the authenticated user ID and preferences. On each subsequent request the browser returns the cookie, and the server looks up the session record in memory or a shared store like Redis. Session tokens are the traditional stateful alternative to stateless JWTs and support immediate revocation by deleting the server-side record.