Session
Session
A session allows stateful information to be maintained across multiple HTTP requests, which is crucial because HTTP is stateless by default.
When a user first interacts with a platformOS application through a web browser, a session is created and stored in the _pos_session cookie. On the server side, platformOS stores sessions in Redis.
Security
When the user logs in, the old session is dropped, and a new one is generated as a countermeasure to various Session Fixation attacks.
Additionally, to prevent Cross-Site Request Forgery attacks, platformOS implements the CSRF Token by default and invalidates the session if a POST/PUT/PATCH/DELETE request is made without a valid CSRF token.
Storing metadata in the session (server side)
To store metadata in the session (for example, the ID of a shopping cart for a user who is not logged in), you can use the session liquid tag.
Note
For more information about session management, refer to the Authentication article.