ARCHIVED from builddistributedsystem.com on 2026-04-28 — URL: https://builddistributedsystem.com/tracks/securitor/tasks/task-24-1-3-session-management
TASK

Implementation

Sessions store authentication state server-side. After login, the server creates a session record keyed by a random ID and sends that ID to the client as a cookie. On every subsequent request, the client presents the ID and the server looks up the session.

Implement a node that manages server-side sessions:

// Create a new session after successful login
{ "type": "create_session", "msg_id": 1, "user_id": "user123" }
-> { "type": "session_created", "in_reply_to": 1,
    "session_id": "<crypto-random-uuid>",
    "expires_at": <unix-timestamp> }

// Validate a session cookie on incoming request
{ "type": "validate_session", "msg_id": 2, "session_id": "abc123" }
-> { "type": "session_valid", "in_reply_to": 2,
    "user_id": "user123", "expires_in": 3600 }

// Regenerate session ID after privilege change (prevents fixation)
{ "type": "regenerate_session", "msg_id": 3, "old_session_id": "abc123" }
-> { "type": "session_regenerated", "in_reply_to": 3,
    "new_session_id": "<new-uuid>" }

// Destroy session on logout
{ "type": "destroy_session", "msg_id": 4, "session_id": "abc123" }
-> { "type": "session_destroyed", "in_reply_to": 4,
    "message": "Session destroyed" }

Sample Test Cases

Create sessionTimeout: 5000ms
Input
{
  "src": "auth",
  "dest": "session",
  "body": {
    "type": "create_session",
    "msg_id": 1,
    "user_id": "user123"
  }
}
Expected Output
{"type": "session_created", "in_reply_to": 1, "session_id": ".*", "expires_at": ".*"}
Validate sessionTimeout: 5000ms
Input
{
  "src": "api",
  "dest": "session",
  "body": {
    "type": "validate_session",
    "msg_id": 1,
    "session_id": "abc123"
  }
}
Expected Output
{"type": "session_valid", "in_reply_to": 1, "user_id": "user123", "expires_in": 3600}

Hints

Hint 1
Session ID must be cryptographically random (use uuid or similar)
Hint 2
validate_session returns user_id and expires_in from the stored session
Hint 3
regenerate_session creates a NEW random session_id and copies all session data to it
Hint 4
destroy_session removes the session from storage permanently
Hint 5
Session expiry: track created_at + ttl; return session_invalid if expired

Resources

OWASP Session Management
Session fixation attacks and how to prevent them
OVERVIEW

Theoretical Hub

Concept overview coming soon

Key Concepts

sessionsession IDsession fixationsession expirysession storage
main.py
python
Implement Secure Session Management - The Securitor | Build Distributed Systems