Stateful authentication is session based authentication. It's called 'stateful' because the server keeps track of the user's authentication state.


One of the advantages of stateful authentication is that it's trivial to destroy sessions. It's because sessions are stored on the server. Being able to destroy sessions means the application can log out users or remove access from users when malicious activity is suspected.

Many backend languages have robust ways to handle authentication with sessions, meaning it's often simpler to use stateful authentication than stateless authentication.


As an application scales, it can increase the server load to use sessions.

If an application is deployed to multiple servers, it's necessary to ensure sessions work across all servers.

Stateful authentication is good for browser access. But it's not a suitable solution if an application offers API access to users or 3rd party applications. In these cases, the application should use a mix of stateful and stateless authentication methods or stick to only using stateless methods.

Authentication scaffolding

Starter kits for Laravel, Vue and React.