Session state is a concept in the software applications to share a user-specific data across multiple actions or requests during a single user session. User session can contain:

• User authentication information
• User preferences
• Form data, navigation history, shopping cart contents or any other application state, that user do not want to lose
• Temporary data
• Security tokens

Client Session State

It is a practice to store session to the browser cookies or localStorage.

• ✅ Reducer server load. Do not need to share the data between the requests. Reduces memory footprint.
• ✅ Scalability. When server is stateless you can scale it horizontally.
• ✅ Simplified Session management. Frontend developer controls session timeouts and session data.
• ❌ Security risk. Sensitive data may be expose to the XSS attacks. Sensitive daa must be encrypted.
• ❌ Data integrity. User can modify session data. All data and server requests must be validated.
• ❌ Cross device usage. Session data is available only per one device. You can sync session data across devices, but it comes with a cost.
• ❌ Privacy issues. Regulations such as GDPR require explicit consent from user. It adds additional complexity and impacts the user experience.

Server Session State

It is a practice to store session on the server side.

• ✅ Security. Sensitive data is kept on the server, which is harder for an attacker to manipulate data.
• ✅ Data Integrity. Server can validate and manage data without relying on untrusted client.
• ✅ When session is kept in memory, it is fast to resolve and update the session. Also you do not need to serialize and deserialize the session data, if you are keeping it in memory.
• ❌ Scalability. If you want to scale the server in case of high load, this can cost more, than to scale a stateless server. More complex scalability patterns must be applied depending on where session data is kept.
• ❌ If session is kept in memory, that Availability becomes very important. If server is down, user will lose his session.

Database Session State

• ✅ Persistance. The user session data will survive server crashes and restarts.
• ✅ Scalability. It allows data to be stored and accessed in centralized manner. This is beneficial for a scaled instances of the same application.
• ✅ Security. Databases can provide out of the box features for encryption, access control and audit trails.
• ✅ Data Integrity. Data is managed centralized.
• ❌ Performance overhead . Retrieving data from the database costs more, that from the in memory object.
• ❌ Increased complexity. Maintain session data in the database, requires additional database configuration, connection management and abstractions resolving this data.
• ❌ Dependency. Database becomes a critical dependency for an application to operate. Database is made a SPOF (Single Point of Failure). Database performance becomes critical for an system availability.