What are sessions and cookies?

A cookie is a small piece of data the server puts in your browser. The browser sends it back with every request — automatically, without you doing anything.

A session is the server reading that cookie to know who you are. The cookie stores your user ID (signed with a secret so it can't be forged), and the server looks up your user record each time.

How it works

1. You log in with your email and password.
2. The server verifies your credentials and creates a session cookie containing your user ID.
3. Your browser stores the cookie and sends it with every request.
4. On each request, the server reads the cookie, finds your user, and knows it's you.
5. When you log out, the server destroys the cookie.

Why signed cookies?

The cookie is signed with a secret key. This means if someone tries to change the user ID inside the cookie, the signature won't match, and the server will reject it. You can't forge a session without knowing the secret.

This is why the COOKIE_SECRET environment variable matters — it's the key that keeps sessions trustworthy.