P3
Anatomy of your session
Inspect a real session, then revoke one.
- 1
Open your account and look at active sessions.
The cookie is __Host-lab_session (HttpOnly, Secure, SameSite=Lax); only the SHA-256 of its token is stored, so a DB read never yields a usable session.
- 2
Revoke a session from the device list.
Revocation is server-side and immediate — the next request on that token is rejected, unlike a stateless token you can’t call back.
Do it
This one happens on your account page — register a passkey, revoke a session, or enroll TOTP there.
Go to your account →Learn the theory
🩻 X-ray — what actually happened
Your own insert-only audit trail — the real server events, sanitized (never a secret), each linked to the lesson that explains it.
Loading…