Sessions, Tokens and Staying Logged In
Once a user logs in, the system needs to remember them as they move from page to page, without asking for the password again. Two common techniques handle this: sessions and tokens.
The choice affects how your product scales and how it works across web and mobile, so it is worth understanding the difference at a high level.
How Each Works
A session keeps the record of who you are on the server and hands the browser a small reference. A token packs that proof into a signed string the client carries with every request.
Keeping It Secure
Whichever approach we use, the goal is the same: keep you conveniently logged in while making it very hard for anyone to hijack your session.
- Sessions and tokens expire so a stolen one is short-lived.
- They are sent only over encrypted connections.
- Logging out and password changes invalidate them.
| Approach | Best for | Trade-off |
|---|---|---|
| Sessions | Classic web apps | Server keeps state |
| Tokens | APIs, mobile, multiple services | Harder to revoke instantly |
If you need a hand with any of this, your Progressive Robot delivery team is ready to help. Raise a ticket from the Support area of your client portal or speak to your account manager and we will guide you through the next steps.