- Check user's identity, which is called
Authentication - No matter user's identified or not, server will still give them session id
So, marketing can take the number of session ID to know how many people visit the sites.
- Client's Cookie saves
seesion idand cookie will be sent out when the session is builded. - Session ID is unique number and timeliness
- Descide what user can and can't do, which is called
Authorization
- expressjs/session