L The IntegrAuth Lab

← All practicals

P3

Anatomy of your session

Inspect a real session, then revoke one.

  1. 1

    Open your account and look at active sessions.

    The cookie is __Host-lab_session (HttpOnly, Secure, SameSite=Lax); only the SHA-256 of its token is stored, so a DB read never yields a usable session.

  2. 2

    Revoke a session from the device list.

    Revocation is server-side and immediate — the next request on that token is rejected, unlike a stateless token you can’t call back.

Do it

This one happens on your account page — register a passkey, revoke a session, or enroll TOTP there.

Go to your account →

🩻 X-ray — what actually happened

Your own insert-only audit trail — the real server events, sanitized (never a secret), each linked to the lesson that explains it.

Loading…