Session
Session
Session allows to maintain stateful information across multiple HTRP requests, which is crucial because HTTP is stateless by default.
When a user first interacts with a platformOS application using a web browser, the session is created and stored in _pos_session cookie. On the server side, platformOS stores sessions in Redis.
Security
When the user logs in, the old session is dropped and a new one is generated as a counter-measure to various Session Fixation attacks.
Moreover, to prevent Cross-Site Request Forgery attacks, platformOS by default implements the CSRF Token and invalidates the session if a POST/PUT/PATCH/DELETE request is made without valid CSRF token.
Storing metadata in the session (server side)
In order to store any metadata in the session (a typical example would be for example an id of a shopping cart of a not logged in user), you can use session liquid tag.
Note
For more information about session management refer to the Authentication.