🧩 Big Picture
There are two types of sessions in a web app:
- Authentication session (Cognito, tokens)
- Application session (DynamoDB, Redis, etc.) They interact, but they serve different layers of your application.
🔹 1️⃣ Authentication session — “Who is this user?”
- Managed by Amazon Cognito (or another identity provider).
- Exists to prove the user’s identity.
- Represented by JWT tokens (ID, access, refresh).
- Has a limited lifetime (e.g., 1 hour access token, 30-day refresh token).
- Stored on the client (browser/app), usually in cookies or local storage. 💡 Purpose: Security and authorization.
🔹 2️⃣ Application session — “What is this user doing?”
- Managed by your application backend.
- Stored i…
🧩 Big Picture
There are two types of sessions in a web app:
- Authentication session (Cognito, tokens)
- Application session (DynamoDB, Redis, etc.) They interact, but they serve different layers of your application.
🔹 1️⃣ Authentication session — “Who is this user?”
- Managed by Amazon Cognito (or another identity provider).
- Exists to prove the user’s identity.
- Represented by JWT tokens (ID, access, refresh).
- Has a limited lifetime (e.g., 1 hour access token, 30-day refresh token).
- Stored on the client (browser/app), usually in cookies or local storage. 💡 Purpose: Security and authorization.
🔹 2️⃣ Application session — “What is this user doing?”
- Managed by your application backend.
- Stored in a shared, durable store (e.g., DynamoDB or ElastiCache Redis).
Contains:
- Shopping cart contents
- Current page or step in checkout
- Temporary preferences
- In-progress transaction data
Exists while the user interacts with the site — can be tied to login, but not always. 💡 Purpose: Maintain continuity of user activity across requests.
🔗 How they relate
- When a user authenticates (Cognito → returns JWT token), your backend validates that token.
- Once validated, your backend creates or retrieves the application session for that user (from Redis/DynamoDB).
- The application session may use the user ID from the token as a key. So, yes — the application session is often associated with the authenticated user, but it’s not dependent on the authentication system.
You could even have:
- Guest sessions (user not logged in, but cart stored via session ID).
- Authenticated sessions (user logged in, data keyed by Cognito user ID).
⚖️ Analogy
Imagine a shopping mall:
-
Cognito = Security guard at the entrance — checks who you are, gives you a pass.
-
Application session = Shopping cart — holds what you’re doing inside the mall. They work together, but are two separate systems:
-
Losing your cart doesn’t unauthenticate you.
-
Losing your token doesn’t empty your cart (until your app decides so).
✅ In summary
| Aspect | Authentication Session | Application Session |
|---|---|---|
| Managed by | Cognito / Identity Provider | App backend (Redis, DynamoDB) |
| Purpose | Verify who the user is | Track what the user is doing |
| Stored where | Client (JWT tokens) | Backend store |
| Lifetime | Based on token expiry | Based on app logic |
| Relation | Often linked by user ID | Uses user ID as key (optional) |
If a question says:
“The company wants to maintain user login state” → That’s Cognito (authentication session).
If it says:
“The company wants to store session data durably or share across instances” → That’s DynamoDB or Redis (application session).